Cisco Meeting Mgmt REST API Priv Esc (Auth Bypass)
CVE-2025-20156 Published on January 22, 2025

Cisco Meeting Management Client-Server Privilege Escalation Vulnerability
A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

NVD

Vulnerability Analysis

CVE-2025-20156 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Improper Handling of Insufficient Privileges

The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.


Products Associated with CVE-2025-20156

Want to know whenever a new CVE is published for Cisco Meeting Management? stack.watch will email you.

Cisco Meeting Management
 

Affected Versions

Cisco Meeting Management:

Exploit Probability

EPSS
3.10%
Percentile
86.67%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.