Cisco has recently addressed two critical vulnerabilities in their Meeting Management tool that could potentially lead to privilege escalation and termination of the ClamAV scanning process on certain endpoints. The first vulnerability, identified as CVE-2025-20156, allows remote attackers with low privileges to elevate their access to administrator level by exploiting a weakness in the REST API authorization process. This flaw affects Cisco Meeting Management versions 3.9 and 3.8, and users are recommended to upgrade to version 3.9.1 or version 3.10 to mitigate the risk.
The second vulnerability, known as CVE-2025-20128, is a heap buffer overflow bug in the OLE2 file parser used by ClamAV. An attacker could exploit this vulnerability by submitting a specially crafted file for scanning, leading to a potential denial of service (DoS) condition on the affected device. The fix for this vulnerability has been implemented in ClamAV versions 1.4.2 and 1.0.8, and users are advised to update their software to prevent exploitation.
Proof-of-concept (PoC) exploit code for CVE-2025-20128 is available, but Cisco has not observed any active exploitation of the vulnerability in the wild. The credit for reporting this flaw goes to OSS-Fuzz, Google’s continuous fuzzing program for open source software, indicating a proactive approach to identifying and addressing security issues before they are maliciously exploited.
While Cisco has confirmed that their Secure Email Gateways and Secure Web Appliances remain unaffected by these vulnerabilities, users running Cisco Secure Endpoint Connectors for Windows, Linux, and macOS are at risk. These endpoints should be updated to fixed releases (7.5.20 or 8.4.31 for Windows, 1.25.1 for Linux, 1.24.4 for macOS) to ensure continued protection against potential attacks.
Cisco has emphasized the importance of implementing security updates promptly to safeguard against potential threats. Customers using Cisco Secure Endpoint Connector clients for Cisco Secure Endpoint Private Cloud will receive the necessary updates through normal content update processes.
Overall, the proactive response from Cisco in addressing these vulnerabilities demonstrates their commitment to maintaining the security and integrity of their software solutions. By promptly releasing patches and communicating mitigation strategies to users, Cisco aims to minimize the risk of exploitation and ensure a secure computing environment for their customers.