Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances.
The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management.
“This vulnerability exists because proper authorization is not enforced upon REST API users,” the company said in a Wednesday advisory. “An attacker could exploit this vulnerability by sending API requests to a specific endpoint.”
“A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.”
The networking equipment major credited Ben Leonard-Lagarde of Modux for reporting the security shortcoming. It affects the following versions of the product irrespective of device configuration –
- Cisco Meeting Management release version 3.9 (Patched in 3.9.1)
- Cisco Meeting Management release versions 3.8 and earlier (Migrate to a fixed release_
- Cisco Meeting Management release version 3.10 (Not vulnerable)
Cisco has also released patches to remediate a denial-of-service (DoS) flaw affecting BroadWorks that stems from improper memory handling for certain Session Initiation Protocol (SIP) requests (CVE-2025-20165, CVSS score: 7.5). The issue has been fixed in version RI.2024.11.
“An attacker could exploit this vulnerability by sending a high number of SIP requests to an affected system,” it said.
“A successful exploit could allow the attacker to exhaust the memory that was allocated to the Cisco BroadWorks Network Servers that handle SIP traffic. If no memory is available, the Network Servers can no longer process incoming requests, resulting in a DoS condition that requires manual intervention to recover.”
A third vulnerability patched by Cisco is CVE-2025-20128 (CVSS score: 5.3), an integer underflow bug impacting the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV that could also result in a DoS condition.
The company, which acknowledged Google OSS-Fuzz for reporting the flaw, said it’s aware of the existence of a proof-of-concept (PoC) exploit code, although there is no evidence it has been maliciously exploited in the wild.
CISA and FBI Detail Ivanti Exploit Chains
News of Cisco flaws comes as the U.S. government’s cybersecurity and law enforcement agencies released technical details of two exploit chains weaponized by nation-state hacking crews to break into Ivanti’s cloud service applications in September 2024.
The vulnerabilities in question are as follows –
The attack sequences, per the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), involved the abuse of CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 in one case, and CVE-2024-8963 and CVE-2024-9379 in the other.
It’s worth noting that the first exploit chain was disclosed by Fortinet FortiGuard Labs in October 2024. In at least one instance, the threat actors are believed to have conducted lateral movement after gaining an initial foothold.
The second exploit chain has been found to leverage CVE-2024-8963 in combination with CVE-2024-9379 to obtain access to the target network, followed by unsuccessful attempts to implant web shells for persistence.
“Threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant web shells on victim networks,” the agencies said. “Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised.
