Cyber Resilience

CVE-2025-20156

Critical

Published: 22 January 2025

Published
22 January 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0148 81.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20156 is a critical-severity Improper Handling of Insufficient Privileges (CWE-274) vulnerability in Cisco Meeting Management. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

A vulnerability in the REST API of Cisco Meeting Management stems from improper enforcement of authorization checks for authenticated users. The affected component allows remote, low-privileged attackers to interact with specific endpoints that should be restricted to administrators, resulting in a CVSS 9.9 rating that reflects high impact across confidentiality, integrity, and availability on managed systems.

An authenticated attacker with low privileges can exploit the flaw by crafting requests to an unprotected API endpoint, thereby elevating their access to administrator level. Successful exploitation grants full control over edge nodes managed by the Cisco Meeting Management instance, affecting any deployment where the REST API is reachable over the network.

The Cisco Security Advisory cisco-sa-cmm-privesc-uy2Vf8pc addresses the issue and is the authoritative source for mitigation steps and patch availability. The two ClamAV references are unrelated to this CVE.

EPSS for the vulnerability rose from a low baseline to a peak of 0.0347, indicating emerging exploitation interest after disclosure that warrants renewed attention despite the current score of 0.0148.

EU & UK References

Vulnerability details

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users.…

more

An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct match to exploitation of improper authorization in REST API for privilege escalation from low-priv authenticated user to admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20098Same product: Cisco Meeting Management
CVE-2026-20122Same vendor: Cisco
CVE-2026-20126Same vendor: Cisco
CVE-2025-20354Same vendor: Cisco
CVE-2025-20333Same vendor: Cisco
CVE-2025-20138Same vendor: Cisco
CVE-2025-20124Same vendor: Cisco
CVE-2025-20274Same vendor: Cisco
CVE-2025-20125Same vendor: Cisco
CVE-2025-20172Same vendor: Cisco

Affected Assets

cisco
meeting management
≤ 3.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce approved authorizations for logical access, addressing the failure to enforce authorization on REST API users that enables privilege escalation.

prevent

Employs the principle of least privilege to restrict low-privilege users from accessing administrator functions via API endpoints, mitigating escalation potential.

prevent

Mandates authorization decisions for system resources and verification of their enforcement, preventing unauthorized API requests from elevating privileges to administrator level.

References