Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug

January 23, 2025 TH Author

Cisco has pushed a patch for a critical, 9.9-rated vulnerability in its Meeting Management tool that could allow a remote, authenticated attacker with low privileges to escalate to administrator on affected devices.

Cisco Meeting Management is the management software for the tech giant’s on-premises video meeting platform.

The flaw, tracked as CVE-2025-20156, exists due to a failure to enforce proper authorization for REST API users, and it’s pretty easy to exploit.

“An attacker could exploit this vulnerability by sending API requests to a specific endpoint,” and this could allow admin-level access over edge nodes, which are components of Cisco’s video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert.

The vulnerability affects most Cisco Meeting Management releases, regardless of device configuration, and there is no workaround at the time. There is a fix, however, so we’d suggest installing the software update that patches this hole ASAP.

For anyone using Cisco Meeting Management 3.8 and earlier: the fix involves migrating to a supported version. Release 3.9 should upgrade to version 3.9.1, and 3.10 is not affected by the vulnerability.

While the networking giant isn’t aware of any in-the-wild exploits of this flaw, it’s probably just a matter of time until that happens, or a Proof-of-Concept (PoC) exploit surfaces. So, get patching.

Cisco credited Modux bug hunter Ben Leonard-Lagarde with initially disclosing this vulnerability. ®