One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8641651 |
| Date de publication | 2025-01-23 22:00:56 (vue: 2025-01-23 16:53:37) |
| Titre | CVSS Score 9.9: Cisco Patches Critical Privilege Escalation Vulnerability In Meeting Management Software |
| Texte | Cisco, the largest provider of networking equipment in the world, released a security update on Wednesday to address a critical privilege escalation vulnerability in the REST API of Cisco Meeting Management.
The critical vulnerability tracked as CVE-2025-20156 has been rated 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). This privilege escalation flaw, if exploited, could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device, posing a severe risk to organizations.
“This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint,” the company said in an advisory on Wednesday.
Cisco also thanked Ben Leonard-Lagarde of Modux for reporting this vulnerability.
The following versions of Cisco Meeting Management are affected by the vulnerability irrespective of device configuration, for which Cisco has released software updates.
Cisco Meeting Management 3.8 and earlier: Users are recommended to migrate to a fixed release, such as 3.9.1.
Cisco Meeting Management 3.9: Patched in 3.9.1
Cisco Meeting Management 3.10: This version is not impacted and does not require any updates.
As of the advisory\'s release, the Cisco Product Security Incident Response Team (PSIRT) said it is not aware of any public announcements or malicious use of the vulnerability, as they are yet to find any evidence that the flaw is being actively exploited.
Unfortunately, there are no workarounds to mitigate this vulnerability. The only way to address this issue is to apply the necessary software updates.
Cisco has urged users to apply the available patches immediately to mitigate the risk. Customers with service contracts that permit them to regular software updates should obtain security fixes through their usual update channels.
For those who do not have service contracts, they can contact the Technical Assistance Center (TAC) for help in obtaining the necessary upgrades.
Further, the company has confirmed that only the products listed in the Vulnerable Products section of the advisory are affected. Cisco also advises users to check hardware and software compatibility before upgrading to maintain safety and stability of their systems.
Cisco, the largest provider of networking equipment in the world, released a security update on Wednesday to address a critical privilege escalation vulnerability in the REST API of Cisco Meeting Management. The critical vulnerability tracked as CVE-2025-20156 has been rated 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). This privilege escalation flaw, if exploited, could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device, posing a severe risk to organizations. “This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint,” the company said in an advisory on Wednesday. Cisco also thanked Ben Leonard-Lagarde of Modux for reporting this vulnerability. The following versions of Cisco Meeting Management are affected by the vulnerability irrespective of device configuration, for which Cisco has released software updates. Cisco Meeting Management 3.8 and earlier: Users are recommended to migrate |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | “this 10: 20156 2025 actively address advises advisory affected allow also announcements any api apply are assistance attacker authenticated authorization available aware because been before being ben can center channels check cisco common company compatibility configuration confirmed contact contracts could critical customers cve cvss device does earlier: elevate endpoint enforced equipment escalation evidence exists exploit exploited find fixed fixes flaw following further hardware has have help immediately impacted incident irrespective issue is lagarde largest leonard listed low maintain malicious management meeting migrate mitigate modux necessary networking not obtain obtaining only organizations out patched patches permit posing privilege privileges product products proper provider psirt public rated recommended regular release released remote reporting requests require response rest risk safety said score scoring section security sending service severe should software specific stability such system systems tac team technical thanked them those through to administrator on tracked unfortunately update updates upgrades upgrading upon urged use users usual version versions vulnerability vulnerable way wednesday which who workarounds world yet |
| Tags | Vulnerability Threat Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.