High

A high-severity security vulnerability has been disclosed in Cisco Meeting Management software that allows authenticated remote attackers to gain full control of affected systems. Tracked as CVE-2026-20098, the flaw enables attackers to upload malicious files and execute arbitrary commands with root-level privileges, the highest level of access on a system. Because root access grants unrestricted control, successful exploitation could result in complete server compromise.

The vulnerability exists within the Certificate Management feature of the Cisco Meeting Management web interface. This feature is designed to manage digital certificates, but due to improper input validation, the application fails to correctly verify uploaded files. As a result, attackers can bypass security checks and upload malicious files disguised as legitimate certificates. Once uploaded, these files are processed by the system using the root account, directly leading to privilege escalation.

To exploit the flaw, an attacker must already possess valid credentials with at least the “video operator” role, which slightly reduces exposure to external attackers. However, this does not significantly lessen the risk, as compromised or abused credentials could still lead to a full system takeover. The vulnerability affects Cisco Meeting Management versions 3.12 and earlier, and Cisco has confirmed that the issue is present regardless of system configuration.

There are no workarounds available to mitigate this vulnerability through configuration changes. The only effective remediation is to upgrade to Cisco Meeting Management release 3.12.1 MR or later, which fixes the input validation issue. The flaw was responsibly disclosed by the NATO Cyber Security Centre Penetration Testing Team, and there is currently no evidence of active exploitation. Nonetheless, organizations are strongly advised to apply patches immediately to prevent future attacks, especially before threat actors reverse-engineer the update to develop working exploits.