top of page

This site was designed with the

website builder. Create your website today.Start Now

Explain IT Again

Search

Cisco Patches Critical Vulnerabilities in Meeting Software

Feb 5
1 min read

Key Findings

Cisco has released urgent updates to address critical vulnerabilities in Cisco Meeting Management and Cisco TelePresence Collaboration Endpoint (CE) Software
The vulnerabilities could allow attackers to seize control of meeting management systems or crash communication endpoints
The most severe flaw, CVE-2026-20098, carries a high CVSS score of 8.8 and allows remote attackers to execute arbitrary commands with root privileges

Background

Cisco Meeting Management is a tool used to manage Cisco Meeting Server deployments
Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software are central to enterprise video conferencing

Cisco Meeting Management Vulnerability (CVE-2026-20098)

Vulnerability in the Certificate Management feature allows authenticated, remote attackers to upload arbitrary files and execute commands with root privileges
Attackers only need a "video operator" role account to exploit the flaw
Once authenticated, they can send a crafted HTTP request to upload malicious files that can overwrite system files processed by the root account

Cisco TelePresence Vulnerability (CVE-2026-20119)

Denial of Service (DoS) vulnerability in the text rendering subsystem
Allows unauthenticated, remote attackers to cause a DoS condition by getting the affected device to render crafted text, such as in a meeting invitation
No user interaction is required - the mere act of processing the malicious text is enough to force a device reload, disrupting communications

Patching and Mitigation

Cisco has released fixes for both vulnerabilities
For Cisco Meeting Management, users on release 3.12 and earlier must update to 3.12.1 MR or later
For TelePresence CE and RoomOS, the fix depends on the deployment (on-premises vs. cloud), with specific firmware versions available
Administrators are urged to patch these systems immediately to maintain secure video conferencing

Sources

https://securityonline.info/toxic-invites-root-access-cisco-patches-critical-meeting-flaws/
https://securityonline.info/cisa-warns-of-unpatched-avation-riss-critical-flaws/
https://x.com/the_yellow_fall/status/2019232312249012624

Recent Posts

Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

Dell RecoverPoint Flaw Exploited by China-Linked Hackers to Deploy GrimBolt Malware

Key Findings China-linked hacking group UNC6201 has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since at least 2024. The vulnerability is a hard

Notepad++ Fixes Vulnerability Used to Hijack Update System

Key Findings Notepad++ patched a vulnerability that attackers used to hijack its update system and deliver malware to targeted users The attack involved infrastructure-level compromise that allowed ma

Comments

bottom of page