Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug
Cisco has pushed a patch for a critical, 9.9-rated vulnerability in its Meeting Management tool that could allow a remote, authenticated attacker with low privileges to escalate to administrator on affected devices.
The flaw, tracked as CVE-2025-20156, exists due to a failure to enforce proper authorization for REST API users, and it's pretty easy to exploit.
"An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert.
The vulnerability affects most Cisco Meeting Management releases, regardless of device configuration, and there is no workaround at the time. There is a fix, however, so we'd suggest installing the software update that patches this hole ASAP.
For anyone using Cisco Meeting Management 3.8 and earlier: the fix involves migrating to a supported version. Release 3.9 should upgrade to version 3.9.1, and 3.10 is not affected by the vulnerability.
