9.9

CVE-2025-20156

EPSS 0.32%
Published 22.01.2025 17:15:12
Last modified 01.08.2025 15:52:09
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device.

This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Meeting Management Version < 3.9.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.32%	0.548

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
psirt@cisco.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-274 Improper Handling of Insufficient Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html

Not Applicable

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA

Not Applicable

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-20156

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-20156

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-20156

EUVD