Analysis Summary

Cisco has issued critical security updates to address several vulnerabilities across its product line. The most severe, CVE-2025-20156 (CVSS 9.9), is a privilege escalation flaw in Cisco Meeting Management's REST API.

According to the researcher, this vulnerability stems from improper authorization of API users, allowing a remote, authenticated attacker to gain administrator-level control over managed edge nodes by sending specific API requests. Affected versions include 3.9 (fixed in 3.9.1) and 3.8 and earlier (requiring migration to a patched release), while version 3.10 is not vulnerable.

In addition to the Meeting Management flaw, Cisco patched two other vulnerabilities. CVE-2025-20165 (CVSS 7.5) is a denial-of-service (DoS) flaw in BroadWorks caused by improper memory handling of certain SIP requests. An attacker could exploit this by sending a high volume of SIP requests, exhausting server memory, and disrupting service. This issue is resolved in version RI.2024.11. The third vulnerability, CVE-2025-20128 (CVSS 5.3), is an integer underflow bug in ClamAV's OLE2 decryption routine, also potentially leading to a DoS condition. Cisco acknowledged Google OSS-Fuzz for reporting this flaw and confirmed awareness of a proof-of-concept exploit, though there's no evidence of active exploitation.

Separately, U.S. government agencies (CISA and FBI) released technical details about exploit chains used by nation-state actors against Ivanti's cloud service applications in September 2024. These attacks leveraged a combination of vulnerabilities, including CVE-2024-8963 (administrative bypass), CVE-2024-9379 (SQL injection), CVE-2024-8190 and CVE-2024-9380 (remote code execution). One exploit chain combined CVE-2024-8963 with the RCE vulnerabilities, while the other paired CVE-2024-8963 with the SQL injection flaw. These chains allowed attackers to gain initial access, execute remote code, obtain credentials, and attempt to implant web shells for persistent access.

The agencies confirmed that threat actors chained these Ivanti vulnerabilities to compromise victim networks, stressing that credentials and sensitive data stored within affected Ivanti appliances should be considered compromised. The first exploit chain was previously disclosed by Fortinet FortiGuard Labs in October 2024. These disclosures highlight the ongoing threat of sophisticated attacks targeting network infrastructure and cloud applications, emphasizing the critical need for prompt patching and robust security practices.

Impact

• Privilege Escalation
• Denial-of-Service
• Remote Code Execution

Remediation

• Refer to Cisco Meeting Management Advisory for patch, upgrade, or suggested workaround information.
• Ensure that security updates are applied promptly across all systems.
• Regularly scan your network and systems for known vulnerabilities.
• Proactively identify and address security weaknesses.
• Regularly back up critical data and systems to facilitate recovery in case of compromise.