Details of VAR-202501-3155

ID

VAR-202501-3155

CVE

CVE-2025-20156

TITLE

Cisco Meeting Management Privilege Escalation Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-02825

DESCRIPTION

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management. Cisco Meeting Management is software used by Cisco to manage and schedule meetings

Trust: 1.44

sources: NVD: CVE-2025-20156 // CNVD: CNVD-2025-02825

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-02825

AFFECTED PRODUCTS

vendor:

cisco

model:

meeting management

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2025-02825

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@cisco.com:	CVE-2025-20156
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2025-02825
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-02825
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

psirt@cisco.com:	CVE-2025-20156
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-02825 // NVD: CVE-2025-20156

PROBLEMTYPE DATA

problemtype:

CWE-274

Trust: 1.0

sources: NVD: CVE-2025-20156

PATCH

title:

Patch for Cisco Meeting Management Privilege Escalation Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/654736

Trust: 0.6

sources: CNVD: CNVD-2025-02825

EXTERNAL IDS

db:	NVD	id:	CVE-2025-20156	Trust: 1.6
db:	CNVD	id:	CNVD-2025-02825	Trust: 0.6

sources: CNVD: CNVD-2025-02825 // NVD: CVE-2025-20156

REFERENCES

url:	https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html	Trust: 1.6
url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-clamav-ole2-h549rpha	Trust: 1.6
url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cmm-privesc-uy2vf8pc	Trust: 1.6

sources: CNVD: CNVD-2025-02825 // NVD: CVE-2025-20156

SOURCES

db:	CNVD	id:	CNVD-2025-02825
db:	NVD	id:	CVE-2025-20156

LAST UPDATE DATE

2025-02-25T23:03:56.568000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-02825	date:	2025-02-13T00:00:00
db:	NVD	id:	CVE-2025-20156	date:	2025-01-29T16:15:43.693

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-02825	date:	2025-02-11T00:00:00
db:	NVD	id:	CVE-2025-20156	date:	2025-01-22T17:15:12.800