CVE-2026-20098: Meeting Adjourned: Rooting Cisco CMM via Certificate Management

#security #cve #cybersecurity

Meeting Adjourned: Rooting Cisco CMM via Certificate Management

Vulnerability ID: CVE-2026-20098
CVSS Score: 8.8
Published: 2026-02-04

A critical flaw in Cisco Meeting Management (CMM) allows low-privileged users ('Video Operators') to upload arbitrary files, overwriting system binaries or configurations. Because the backend processes these files as root, this leads to immediate Remote Code Execution (RCE). The vulnerability resides in the Certificate Management module, which fails to sanitize file paths, effectively turning a maintenance feature into a backdoor generator.

TL;DR

Authenticated 'Video Operators' can upload files with directory traversal characters to overwrite system files. By targeting files processed by root (like cron jobs or init scripts), attackers achieve full root RCE. No workaround exists; patching is mandatory.

Technical Details

CWE ID: CWE-434
Attack Vector: Network (Authenticated)
CVSS: 8.8 (High)
Impact: Remote Code Execution (Root)
Exploit Status: No Public PoC
EPSS Score: 0.90%

Affected Systems

Cisco Meeting Management 2.9.x
Cisco Meeting Management 3.x < 3.12.1
Cisco Meeting Management: 2.9.0 - 2.9.1 (Fixed in: 3.12.1)
Cisco Meeting Management: 3.0.0 - 3.12.0 (Fixed in: 3.12.1)

Mitigation Strategies

Input Validation: Ensure all filenames are sanitized (e.g., using secure_filename).
Principle of Least Privilege: Ensure web services do not run as root or have write access to system configuration directories.
Role-Based Access Control (RBAC): Re-evaluate why 'Video Operators' need write access to certificate stores.

Remediation Steps:

Identify the current version of Cisco Meeting Management.
Download the fixed release (3.12.1 or later) from Cisco Software Central.
Apply the upgrade via the CMM administration console.
Audit the system for unauthorized files in /etc/cron.d/ or modified system binaries.