Cyber Posture

CVE-2025-20156

Critical

Published: 22 January 2025

Published
22 January 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0338 87.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20156 is a critical-severity Improper Handling of Insufficient Privileges (CWE-274) vulnerability in Cisco Meeting Management. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly requires the system to enforce approved authorizations for logical access, addressing the failure to enforce authorization on REST API users that enables privilege escalation.

AC-6 Least Privilege partial match
prevent

Employs the principle of least privilege to restrict low-privilege users from accessing administrator functions via API endpoints, mitigating escalation potential.

AC-24 Access Control Decisions good match
prevent

Mandates authorization decisions for system resources and verification of their enforcement, preventing unauthorized API requests from elevating privileges to administrator level.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct match to exploitation of improper authorization in REST API for privilege escalation from low-priv authenticated user to admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users.…

more

An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

Deeper analysisAI

CVE-2025-20156 is a vulnerability in the REST API of Cisco Meeting Management that stems from a failure to enforce proper authorization on REST API users. This affects Cisco Meeting Management devices, enabling privilege escalation to administrator level on impacted systems, including edge nodes managed by the software.

A remote, authenticated attacker with low privileges can exploit the vulnerability by sending API requests to a specific endpoint. Successful exploitation allows the attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management, with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and association to CWE-274.

Cisco has issued a security advisory (cisco-sa-cmm-privesc-uy2Vf8pc) addressing the vulnerability, along with related advisories on their security center.

Details

CWE(s)
CWE-274

Affected Products

cisco
meeting management
≤ 3.9.1

CVEs Like This One

CVE-2026-20098Same product: Cisco Meeting Management
CVE-2026-20126Same vendor: Cisco
CVE-2026-20122Same vendor: Cisco
CVE-2025-20354Same vendor: Cisco
CVE-2025-20138Same vendor: Cisco
CVE-2025-20333Same vendor: Cisco
CVE-2025-20124Same vendor: Cisco
CVE-2025-20274Same vendor: Cisco
CVE-2025-20125Same vendor: Cisco
CVE-2025-20175Same vendor: Cisco

References