Cisco

Cybersecurity News

CISA Warns Critical Cisco Firewall Vulnerabilities Under Active Exploitation  

4 Actively exploited Zero-days affecting millions of devices,. This include 3 targeted by Nation-state actor “ArcaneDoor”.

Security Advisory: Cisco has released critical security updates to address two zero-day vulnerabilities referring to CVE-2025-20333 and CVE-2025-20362 in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.

CISA has also added in their KEV catalog and including additional actions tailored to each agency’s status in Emergency Directive ED 25-03 document.

CISA said ‘”The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,”.

CISA has reported that an advanced threat actor ArcaneDoor, threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.  

Severity Critical 
CVSS Score 9.9  
CVEs CVE-2025-20333, CVE-2025-20362 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.1 

Overview 

The flaws discovered are actively exploited in the wild which allow attackers to execute arbitrary code or access restricted endpoints without authentication. Admins are urged to immediately apply Cisco’s fixed releases to mitigate these actively exploited zero-day vulnerabilities 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Buffer Overflow Vulnerability  CVE-2025-20333  Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD)  Critical Update to the latest version 
Missing Authorization Vulnerability CVE-2025-20362  Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) Medium  Update to the latest version 

Technical Summary 

Cisco has released security updates to address multiple vulnerabilities in the VPN web server of Secure Firewall ASA and FTD Software.

The most severe issue is a critical remote code execution vulnerability that could allow an authenticated attacker with valid VPN credentials to send specially crafted HTTP(S) requests and execute arbitrary code with root-level privileges, potentially resulting in full compromise of the affected device and control of its operations.

In addition, a medium-severity vulnerability was identified that could enable unauthenticated attackers to bypass access controls and access restricted web resources without authentication, potentially exposing sensitive information or limited administrative functions.

Both vulnerabilities are caused by improper validation of user-supplied HTTP(S) input, making them exploitable over the network.

Cisco has confirmed that there are no workarounds available, and administrators are strongly advised to upgrade to the fixed software versions immediately to ensure the security and integrity of their environments. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20333  Cisco Secure Firewall ASA Software, Cisco Secure FTD Software  Improper input validation in the VPN web server enables authenticated remote users to send crafted HTTP requests that allow arbitrary code execution with root privileges. Remote Code Execution  
CVE-2025-20362  Cisco Secure Firewall ASA Software, Cisco Secure FTD Software  The VPN web server does not properly validate HTTP(S) user-supplied input. Attackers can exploit this by sending specially crafted requests to bypass authentication and access restricted URL endpoints. Unauthorized access  

Recommendations

  • Install the fixed software releases for Cisco Secure Firewall ASA and FTD Software 
  • Use the Cisco Software Checker to identify the earliest fixed release for your software version. 
  • Navigate the device management interface (Cisco Secure Firewall Management Center or Device Manager) to apply updates. 
  • Restart devices after installation and ensure auto-updates are enabled. 
  • Review the Configure Threat Detection for VPN Services section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable protection against VPN-related attacks. 

Conclusion: 
These vulnerabilities present a significant risk as they are actively being exploited in the wild and can lead to complete system compromise or unauthorized access to sensitive resources.

Since no workarounds are available, applying the latest Cisco security updates is the only effective remediation. Administrators should prioritize immediate patching across all affected devices to protect their environment from ongoing exploitation attempts and ensure continued resilience of critical firewall infrastructure. 

References

Blogs

Firmware Vulnerabilities affecting Dell Laptops Could allow attackers to achieve persistent access 

A set of vulnerabilities affecting millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide. The vulnerability known as “ReVault,” mainly target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware.

This subsequently create opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.

How does the vulnerability work

Most of the flaws reside in the firmware for ControlVault3 and ControlVault3+, which are hardware security components that store passwords, biometric templates, and security codes.

The lists includes:

  • Two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050)
  • An arbitrary free (CVE-2025-25215) flaw
  • A stack-overflow bug (CVE-2025-24922)
  • An unsafe-deserialization flaw (CVE-2025-24919)

According to the researchers, the vulnerabilities can be exploited in so-called ReVault attacks by:

  • Attackers who have achieved non-administrative access/privileges on a vulnerable target laptop. The vulnerabilities may allow them to interact with the ControlVault firmware and leak key material that would allow them to permanently modify the firmware (i.e., effectively creating a potential backdoor into the system)
  • Attackers that have physical access to the laptop. They could pry the device open, use a custom connector to access the Unified Security Hub board (which runs ControlVault) over USB, and exploit those vulnerabilities – all without having to log into the system beforehand or having knowledge of the full-disk encryption password.

“Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint,” as per researchers.

Technical details have not been publicly shared, but they have, of course, been privately reported to Dell and Broadcom.

These are 5 critical vulnerabilities of ReVault found by Cisco Talos researcher

ReVault Attack – Five Critical Vulnerabilities

ControlVault3 and ControlVault3+ systems:

  • CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage
  • CVE-2025-25050: An out-of-bounds write flaw allowing code execution
  • CVE-2025-25215: An arbitrary memory free vulnerability
  • CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution
  • CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs

Importance of device security posture/Endpoint security

The incident highlight how device posture check is designed to evaluate threat that a device poses to an organization and its systems.

The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level.

Here traditional antivirus solutions cannot detect or remove it. Now sophistication of cyber threats means that organizations need to become more proactive in terms of defense.

The identification and mitigation of a threat early on, via an effective and clearly defined security posture, reduces costs, lessens downtime, and minimizes reputational damage.

Periodic security audits are essential to have a complete check on all the security features of the organization. Such audits identify vulnerabilities in the current security controls and allow for ensuring things align properly with industry standards. 

Importance of Endpoint security

End point security detect and prevent security threats like file-based malware attacks among other malicious activities. It also provides investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

Conclusion:

Protecting against endpoint attacks is challenging for organisation because endpoints exist where humans and machines intersect. With the increasing number of adversaries trying to breach organizations using sophisticated cyberattacks, quickly detecting potential threats will help speed the remediation process and keep data protected.

(Source: https://www.helpnetsecurity.com/2025/08/05/dell-laptops-firmware-vulnerabilities-revault-attacks/)

Security Advisory

Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-20281, CVE-2025-20282 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​API Unauthenticated RCE vulnerability  CVE-2025-20281 ISE & ISE-PIC   Critical  3.3 Patch 6, 3.4 Patch 2 
Internal API Arbitrary File Execution vulnerability  CVE-2025-20282 ISE & ISE-PIC   Critical  3.4 Patch 2 

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

  • CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 
  • CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20281 Cisco ISE & ISE-PIC 3.3 and later Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.  Remote code execution  
CVE-2025-20282 Cisco ISE & ISE-PIC 3.4 only An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.   Remote code execution 

Remediation

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version CVE-2025-20281 Fixed In CVE-2025-20282 Fixed In 
3.2 and earlier Not affected Not affected 
3.3 3.3 Patch 6 Not affected 
3.4 3.4 Patch 2 3.4 Patch 2 

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References

Security Advisory

Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments 

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-20286 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.

Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions. 

Vulnerability Name CVE ID Product Affected Severity 
​Cisco ISE Shared Credential Vulnerability  CVE-2025-20286 Cisco ISE   Critical 

Technical Summary 

The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available. 

This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-20286  Cisco ISE 3.1 – 3.4 Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform   Access sensitive data 

Remediation

Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4. 

Cisco ISE Release Hot Fix First Fixed Release 
3.0 and earlier Not applicable. Not affected. 
3.1 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.2 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.3 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.3P8 (November 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.4 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.4P3 (October 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.5 Not applicable. Planned release (Aug 2025) 

Conclusion: 
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.

Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation. 

Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative. 

References

Security Advisory

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEMCISCO
SeverityHIGH
CVSS Score8.6
CVEsCVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​RADIUS DoS Vulnerability  CVE-2025-20152Cisco Identity Services Engine  High  ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability  CVE-2025-20113Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability  CVE-2025-20114Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-20152  CISCO ISE 3.4Improper handling of malformed RADIUS authentication requests can cause a system reload.    Denial of Service (DoS), Network Disruption
      CVE-2025-20113 Unified Intelligence Center  12.5, 12.6Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.    Privilege Escalation, Unauthorized Data Access
    CVE-2025-20114Unified Intelligence Center  12.5, 12.6Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.    Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

  • For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

  • For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

  • UIC 12.5(1)SU ES04 or later.
    • UIC 12.6(2)ES04 or later.
    • Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Security Advisory

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet. 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access. 
  • Malware Capabilities
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 
  • Opens ports to act as proxy relays. 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200 
  • E2500 
  • E1000 
  • E4200 
  • E1500 
  • E300 
  • E3200 
  • WRT320N 
  • E1550 
  • WRT610N 
  • E100 
  • M10 
  • WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Security Advisory

High-Severity DoS Vulnerability in Cisco NX-OS Software

MPLS Encapsulated IPv6 Denial of Service Vulnerability

OEM CISCO 
Severity High 
CVSS score 7.4 
CVEs CVE-2025-20111 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A high-severity vulnerability (CVE-2025-20111) in Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode could allow unauthenticated attackers to trigger a denial-of-service (DoS) condition by sending crafted ethernet frames, leading to unexpected device reloads. 

Vulnerability Name CVE ID Product Affected Severity 
 Denial of service vulnerability  CVE-2025-20111   Cisco Nexus   High 

Technical Summary 

The vulnerability originates from improper handling of specific Ethernet frames within the health monitoring diagnostics of Cisco Nexus switches.

An unauthenticated, adjacent attacker can exploit this flaw by sending a sustained rate of crafted Ethernet frames to a vulnerable device. Successful exploitation results in repeated device reloads, disrupting network operations and potentially impacting high-availability environments. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-20111  Nexus 3000 Series: 3100, 3200, 3400, and 3600 models Nexus 9000 Series: 9200, 9300, and 9400 switches running standalone NX-OS Improper handling of specific Ethernet frames in health monitoring diagnostics  Repeated device reboots, potential network downtime  

Remediation

  • Apply Software Updates: Cisco has released patched software versions to address the vulnerability. Network administrators should upgrade affected devices immediately. 
  • Use Cisco Software Checker: Organizations should verify their exposure using Cisco’s Software Checker tool to identify the earliest fixed release. 
  • Implement Workarounds: If immediate patching is not feasible, organizations can mitigate risks using Access Control Lists (ACLs) to filter anomalous Ethernet frames targeting the health monitoring subsystem. 

Conclusion: 

CVE-2025-20111 presents a significant risk to enterprise and data center networks relying on Cisco Nexus switches. While there is no known active exploitation, organizations should prioritize patching and mitigation strategies to prevent service disruptions. Proactive monitoring and adherence to Cisco’s security advisories will help ensure network resilience against potential exploitation. 

References: 

Security Advisory

Cisco Meeting Management to Prone to Attack Vectors; Vulnerability CVE-2025-20156 

Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances.

The vulnerability, CVE-2025-20156  was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD)

OEM Cisco 
Severity Critical 
CVSS 9.9 
CVEs CVE-2025-20156 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A critical vulnerability (CVE-2025-20156) in Cisco Meeting Management could allow attackers to gain unauthorized administrative access. This issue affects versions prior to 3.9.1 and has been classified as critical. Cisco strongly recommends updating to the latest fixed version to address this risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Privilege Escalation Vulnerability  CVE-2025-20156  Cisco  Critical 

Technical Summary 

A critical security vulnerability has been identified in Cisco Meeting Management. This flaw resides in the REST API and stems from improper enforcement of authorization protocols for REST API users. Remote, authenticated attackers with low-level privileges can exploit this issue by sending specially crafted API requests to specific endpoints. A successful exploit could allow attackers to escalate their privileges to administrator level and gain control over edge nodes managed by Cisco Meeting Management. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-20156  Cisco Meeting Management  prior to version 3.9.1 Insufficient authorization checks in the REST API allow attackers to send crafted API requests to escalate privileges.  Attackers can gain full administrative control and disrupt business operations.  

Remediation

  1. Update to the Latest Version: 
  • Upgrade Cisco Meeting Management to version 3.9.1or later. 
  1. Regular Security Practices: 
  • Monitor Cisco’s security advisories. 
  • Regularly update systems to address emerging threats. 

Conclusion: 

CVE-2025-20156 poses a critical risk to Cisco Meeting Management users. Exploiting this flaw could disrupt operations by granting attacker’s administrative control. Immediate updates are crucial to mitigate the risk and protect affected systems. 

References: 

  • https://cybersecuritynews.com/cisco-meeting-management-vulnerability/ 

Scroll to top