CyberSecurity news

FlagThis - #cisco

Stu Sjouwerman@blog.knowbe4.com //
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.

Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies.

The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers.

Recommended read:
References :
  • blog.knowbe4.com: Toll-themed smishing attacks surge in US and UK
  • The Hacker News: Cybersecurity researchers are warning of a widespread and ongoing SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • ciso2ciso.com: Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • krebsonsecurity.com: Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
  • The DefendOps Diaries: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States
  • ciso2ciso.com: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Source:thehackernews.com
  • www.scworld.com: Massive ongoing US toll fraud underpinned by Chinese smishing kit

Sergiu Gatlan@BleepingComputer //
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.

Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level.

Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236.

Recommended read:
References :
  • securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links
  • The DefendOps Diaries: Understanding the Cisco Webex App Vulnerability: A Call to Action
  • BleepingComputer: Cisco Webex bug lets hackers gain code execution via meeting links
  • bsky.app: Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
  • www.bleepingcomputer.com: Cisco Webex bug lets hackers gain code execution via meeting links
  • securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links

@The DefendOps Diaries //
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.

The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security.

Recommended read:
References :
  • bsky.app: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • The DefendOps Diaries: Explore the critical Cisco Smart Licensing Utility vulnerability and learn mitigation strategies to protect your network.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • Cyber Security News: Cisco Smart Licensing Utility Vulnerabilities Let Attackers Gain Admin Access
  • gbhackers.com: Cisco Smart Licensing Utility Flaws Allowed Attackers to Gain Admin Access
  • securityonline.info: CISA Warns of Active Exploitation of Cisco Smart Licensing Utility Flaw

Matt Kapko@CyberScoop //
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.

This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments.

Recommended read:
References :
  • Threats | CyberScoop: Identity lapses ensnared organizations at scale in 2024
  • SiliconANGLE: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
  • www.scworld.com: Sixty percent of cybersecurity incidents around the world last year were identity-based intrusions, with identity targeting being prominent across all attack stages, SiliconAngle reports.

@cyberalerts.io //
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.

UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan.

Recommended read:
References :
  • Cisco Talos Blog: UAT-5918 targets critical infrastructure entities in Taiwan
  • Industrial Cyber: UAT-5918 APT group targets Taiwan critical infrastructure, possible linkage to Volt Typhoon
  • thehackernews.com: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools
  • Talkback Resources: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools [ics] [net]
  • Cyber Security News: UAT-5918 Threat Actors Target Exposed Web and Application Servers via N-Day Vulnerabilities
  • gbhackers.com: UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers
  • The DefendOps Diaries: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.
  • securityaffairs.com: UAT-5918 ATP group targets critical Taiwan
  • www.scworld.com: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim systems.
  • Virus Bulletin: Cisco Talos researchers Jung soo An, Asheer Malhotra, Brandon White & Vitor Ventura analyse a UAT-5918 malicious campaign targeting critical infrastructure entities in Taiwan.

Sergiu Gatlan@BleepingComputer //
Cisco has addressed a critical denial-of-service (DoS) vulnerability, CVE-2025-20115, found in the Border Gateway Protocol (BGP) confederation implementation of its IOS XR Software. The vulnerability arises from a memory corruption flaw, specifically the improper handling of the AS_CONFED_SEQUENCE attribute within BGP update messages. An attacker can exploit this by injecting a crafted message containing 255 or more autonomous system numbers, leading to process instability and a potential BGP process restart.

Successful exploitation of this flaw allows unauthenticated attackers to crash the BGP process, disrupting network routing and potentially causing significant service outages. This is particularly concerning for large-scale networks using BGP confederation. The affected software versions include Cisco IOS XR Release 7.11 and earlier, Release 24.1 and earlier, Release 24.2 until version 24.2.21, and Release 24.3, which has been patched in version 24.3.1. The primary mitigation strategy is to apply the latest software update provided by Cisco.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the Cisco IOS XR Vulnerability: CVE-2025-20115
  • BleepingComputer: Cisco vulnerability lets attackers crash BGP on IOS XR routers
  • www.cysecurity.news: Cisco Warns of Critical Security Flaw in IOS XR Software – Immediate Update Recommended
  • securityaffairs.com: Cisco IOS XR flaw allows attackers to crash BGP process on routers
  • securityonline.info: Cisco Alerts on Public Disclosure of CVE-2025-20115 – BGP Flaw Puts Networks at Risk
  • Rescana: The Cisco IOS XR Software Border Gateway Protocol (BGP) Confederation Denial of Service vulnerability , identified as...
  • gbhackers.com: Cisco has issued a security advisory warning of a vulnerability in its IOS XR Software that could allow attackers to launch denial-of-service (DoS) attacks.  The vulnerability, identified as CVE-2025-20115, affects the Border Gateway Protocol (BGP) confederation implementation. The CVE-2025-20115 vulnerability affects the Border Gateway Protocol (BGP) confederation implementation in Cisco IOS XR Software, potentially allowing
  • bsky.app: Cisco has patched a denial of service (DoS) vulnerability that lets attackers crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message.

drewt@secureworldexpo.com (Drew Todd)@SecureWorld News //
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants

@cyberscoop.com //
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers

Ameer Owda@socradar.io //
Cisco has released patches to address two critical remote code execution vulnerabilities in its Identity Services Engine (ISE). The flaws, tracked as CVE-2025-20124 (CVSS score 9.9) and CVE-2025-20125 (CVSS score 9.1), could allow a remote attacker with read-only administrative privileges to execute arbitrary commands on affected devices. The vulnerabilities could prevent privilege escalation and system configuration changes.

The first vulnerability, CVE-2025-20124, is due to insecure deserialization of user-supplied Java byte streams, allowing attackers to execute arbitrary commands and elevate privileges by sending a crafted serialized Java object to an affected API. The second, CVE-2025-20125, is an authorization bypass issue that could allow attackers to obtain sensitive information, modify system configurations, and restart the node by sending a crafted HTTP request to a specific API. Cisco warns that there are no workarounds, advising customers to migrate to a fixed software release as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes.
  • securityonline.info: CVE-2025-20124 (CVSS 9.9) & CVE-2025-20125 (CVSS 9.1): Cisco Patches Critical Flaws in Identity Services Engine
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • securityonline.info: Cisco has issued a security advisory addressing two critical vulnerabilities in its Identity Services Engine (ISE), a network
  • Pyrzout :vm:: Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities – Source:sec.cloudapps.cisco.com #'Cyber
  • BleepingComputer: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • socradar.io: Critical Cisco ISE Vulnerabilities Patched: CVE-2025-20124 & CVE-2025-20125
  • The Hacker News: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc
  • : Cisco’s ISE bugs could allow root-level command execution
  • www.bleepingcomputer.com: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco’s ISE bugs could allow root-level command execution – Source: www.csoonline.com

@gbhackers.com //
Cisco has released a critical patch for a high-severity vulnerability in its Meeting Management tool, which has been given a rating of 9.9. The vulnerability, identified as CVE-2025-20156, could allow a remote attacker with low privileges to gain admin-level access to affected devices. This exploit is achieved by sending specific API requests to a designated endpoint, thus bypassing access control protocols on the system. This flaw primarily affects edge nodes, which are critical components of Cisco's video conferencing infrastructure managed by the tool. Cisco has acknowledged the vulnerability and issued an alert, urging customers to apply the patch immediately.

The vulnerability impacts most versions of Cisco Meeting Management, with the exception of version 3.10. Users with earlier releases, 3.8 and below, will need to migrate to a supported version. Specifically, release 3.9 should be upgraded to version 3.9.1. Although there have been no confirmed reports of the exploit being used in the wild yet, Cisco encourages all users to update as soon as possible, as a Proof-of-Concept (PoC) exploit could surface at any time. The discovery of this flaw was credited to Modux bug hunter Ben Leonard-Lagarde.

Recommended read:
References :
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • The Register: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug No in-the-wild exploits … yet Cisco has pushed a patch for a critical, 9.9-rated vulnerability in its Meeting Management tool that could allow a remote, authenticated attacker with low privileges to escalate to administrator on affected devices.…
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register ï½¢ "An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert ï½£
  • Pyrzout :vm:: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • www.theregister.com: Patch now: Cisco fixes critical Meeting Management flaw —The Register

@gbhackers.com //
Cisco has issued critical security patches to address vulnerabilities in its ClamAV software and Meeting Management platform. A denial-of-service flaw, identified as CVE-2025-20128, affects ClamAV and can be exploited by submitting a crafted file that terminates the scanning process. Proof-of-concept exploit code is available, although there's no indication it has been used in the wild. This ClamAV vulnerability is due to a heap-based buffer overflow bug within the OLE2 file parser, impacting Cisco Secure Endpoint Connectors for Windows, Linux, and macOS. Cisco advises users to immediately update to ClamAV versions 1.4.2 or 1.0.8 to remediate this threat, since a successful attack could disrupt security workflows by stopping the malware scanning function.

Additionally, a critical privilege escalation vulnerability, CVE-2025-20156, has been discovered in the Cisco Meeting Management REST API. This flaw allows remote authenticated attackers with low privileges to elevate their access to administrator level on affected devices. It stems from improper authorization enforcement within the REST API, enabling attackers to gain control of edge nodes managed by Cisco Meeting Management. The vulnerability impacts versions 3.9 and earlier, but not 3.10. Upgrading to version 3.9.1 or 3.10 is essential as there are no workarounds available. Cisco has released software updates to address this vulnerability, also impacting the Broadworks platform.

Recommended read:
References :
  • gbhackers.com: Cisco has issued a critical advisory regarding a privilege escalation vulnerability in its Meeting Management REST API.
  • securityaffairs.com: Cisco addressed a critical flaw in its Meeting Management that could allow it to gain administrator privileges on vulnerable instances.
  • The Hacker News: Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker with low level access
  • social.skynetcloud.site: Cisco Meeting Management REST API Privilege Escalation Vulnerability
  • ciso2ciso.com: Cisco Meeting Management REST API Privilege Escalation Vulnerability – Source:sec.cloudapps.cisco.com #'Cyber
  • www.helpnetsecurity.com: Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw 'tmiss
  • The Register - Security: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • www.heise.de: Cisco: Critical security vulnerability in Meeting Management Cisco warns of a critical vulnerability in Meeting Management as well as vulnerabilities in Broadworks and ClamAV.
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • Pyrzout :vm:: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • ciso2ciso.com: The article highlights a critical vulnerability in Cisco's Meeting Management tool.
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register
  • The Register: The story focuses on a 9.9-rated vulnerability in Cisco Meeting Management, highlighting potential remote code execution risks.
  • social.heise.de: This discusses the vulnerability in Cisco's Meeting Management software.
  • www.theregister.com: Patch now: Cisco fixes critical Meeting Management flaw —The Register
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register ï½¢ "An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert ï½£
  • The Register - Security: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com