Critical Cisco Meeting Management Vulnerability Allows Remote Administrator Privileges
Date: January 23, 2025
Author: Ravie Lakshmanan
Tags: Network Security / Vulnerability
Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances.
Vulnerability Details
The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out of 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management.
"Proper authorization is not enforced upon REST API users," the company said in a Wednesday advisory. "An attacker could exploit this vulnerability by sending API requests to a specific endpoint."
A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.
Affected Versions
The following versions of the product are affected, irrespective of device configuration:
- Cisco Meeting Management release version 3.9 (patched in 3.9.1)
- Cisco Meeting Management release versions 3.8 and earlier (migrate to a fixed release)
- Cisco Meeting Management release version 3.10 (not vulnerable)
Additional Vulnerabilities
Cisco has also released patches to remediate a denial-of-service (DoS) flaw affecting BroadWorks that stems from improper memory handling for certain Session Initiation Protocol (SIP) requests (CVE-2025-20165, CVSS score: 7.5).
An attacker could exploit this vulnerability by sending a high number of SIP requests to an affected system. A successful exploit could allow the attacker to exhaust the memory that was allocated to the Cisco BroadWorks Network Servers that handle SIP traffic. If no memory is available, the Network Servers can no longer process incoming requests, resulting in a DoS condition that requires manual intervention to recover.
A third vulnerability patched by Cisco is CVE-2025-20128 (CVSS score: 5.3), an integer underflow bug impacting the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV that could also result in a DoS condition.
Reporting and Acknowledgments
The company credited Ben Leonard-Lagarde of Modux for reporting the security shortcoming. It’s worth noting that the first exploit chain was disclosed by Fortinet FortiGuard Labs in October 2024. In at least one instance, the threat actors are believed to have conducted lateral movement after gaining an initial foothold.
The second exploit chain has been found to leverage CVE-2024-8963 in combination with CVE-2024-9379 to obtain access to the target network, followed by unsuccessful attempts to implant web shells for persistence.
Government Response
The U.S. government’s cybersecurity and law enforcement agencies released technical details of two exploit chains weaponized by nation-state hacking crews to break into Ivanti’s cloud service applications in September 2024.
The attack sequences, per the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), involved the abuse of CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 in one case, and CVE-2024-8963 and CVE-2024-9379 in the other.
Threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant web shells on victim networks. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised.
Stay Informed
Follow us on Twitter and LinkedIn to read more exclusive content we post.
