Critical Vulnerability Discovered in Cisco’s Meeting Management System

Modux is proud to share that our team recently discovered a critical vulnerability in Cisco’s Meeting Management (CMM) platform.

Our team uncovered a significant vulnerability in Cisco’s Meeting Management platform (CVE-2025-20156) that posed a serious risk to businesses relying on its web application for secure communication. This flaw, identified by Lead Security Consultant, Ben, allows for privilege escalation via the REST API - a serious discovery that could have far-reaching consequences for those affected.

How the Vulnerability Works

The vulnerability we discovered allows a malicious actor to bypass essential user controls within the Cisco Meeting Management system.

As a low-level non-administrative video operator user, it is possible to directly execute commands via the emulated SSH session present at the ‘/#servers/servers’ resource.

As expected, when accessed via the browser, non-administrator users are presented with an error page indicating they are lacking the privileges required to configure and connect to connected devices:

The application, however, fails to apply these restrictions at the API level, allowing a malicious user to directly connect to the ‘/api/ssh_run_command/’ endpoint and interact with any connected devices as if they were an administrator:

The entered commands are executed under the context of whatever device administrator was used to connect and control the device with CMM – and therefore allows full administrative control over the device in question:

Shown below is the request and response to the ‘/api/user/me/’ API endpoint with the same user (note the identical session token) – which returns a response showing the only assigned role is operator:

Once this is achieved, the attacker gains the ability to execute privileged commands on any edge nodes connected to the platform, granting them administrative access. This privilege escalation opens the door to a range of malicious activities, including (but not limited to):

·         Complete administrative control over connected server devices.

·         The ability to intercept or modify live calls and meetings.

·         The potential to run malicious content on devices within the network.

·         Lateral movement within the network, potentially enabling attackers to spread their reach and compromise additional systems.

Cisco’s Response

Upon discovering this vulnerability, we immediately reported it to Cisco, who acted swiftly to address the issue. Cisco has since released software updates designed to mitigate the risk and close the security gap. These updates are crucial for businesses using CMM to ensure their systems remain secure and protected from potential exploitation.

Why It Matters

It’s easy to think that a product from a high profile vendor is fool proof, but our findings clearly demonstrate that vulnerabilities can exist even in solutions that are perceived to be thoroughly tested and secure.

The vulnerability we identified was technically straightforward to exploit, highlighting a crucial reality of modern cybersecurity - even well-known products, no matter how trusted, can have weaknesses that are easily overlooked.

Cisco’s prompt response to this issue is a testament to the company's commitment to safeguarding their users, but businesses must remain proactive in managing their security.

At Modux, we are committed to identifying and addressing vulnerabilities like these before they can be exploited. We help ensure our clients’ digital environments remain safe and resilient against emerging threats. For those using Cisco’s Meeting Management system, we strongly recommend applying the latest software updates to mitigate the risk posed by this vulnerability.