CVE-2025-20156
Published: 22 January 2025
Summary
CVE-2025-20156 is a critical-severity Improper Handling of Insufficient Privileges (CWE-274) vulnerability in Cisco Meeting Management. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
A vulnerability in the REST API of Cisco Meeting Management stems from improper enforcement of authorization checks for authenticated users. The affected component allows remote, low-privileged attackers to interact with specific endpoints that should be restricted to administrators, resulting in a CVSS 9.9 rating that reflects high impact across confidentiality, integrity, and availability on managed systems.
An authenticated attacker with low privileges can exploit the flaw by crafting requests to an unprotected API endpoint, thereby elevating their access to administrator level. Successful exploitation grants full control over edge nodes managed by the Cisco Meeting Management instance, affecting any deployment where the REST API is reachable over the network.
The Cisco Security Advisory cisco-sa-cmm-privesc-uy2Vf8pc addresses the issue and is the authoritative source for mitigation steps and patch availability. The two ClamAV references are unrelated to this CVE.
EPSS for the vulnerability rose from a low baseline to a peak of 0.0347, indicating emerging exploitation interest after disclosure that warrants renewed attention despite the current score of 0.0148.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2156
Vulnerability details
A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users.…
more
An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct match to exploitation of improper authorization in REST API for privilege escalation from low-priv authenticated user to admin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce approved authorizations for logical access, addressing the failure to enforce authorization on REST API users that enables privilege escalation.
Employs the principle of least privilege to restrict low-privilege users from accessing administrator functions via API endpoints, mitigating escalation potential.
Mandates authorization decisions for system resources and verification of their enforcement, preventing unauthorized API requests from elevating privileges to administrator level.