Ddos 
Cisco has released urgent updates for two of its major collaboration platforms, addressing critical vulnerabilities that could allow attackers to seize control of meeting management systems or crash communication endpoints. The advisories cover Cisco Meeting Management and Cisco TelePresence Collaboration Endpoint (CE) Software, both of which are central to enterprise video conferencing.
The most severe of the two, CVE-2026-20098, carries a high CVSS score of 8.8, signaling a serious risk of system compromise.
The first advisory targets Cisco Meeting Management, a tool used to manage Cisco Meeting Server deployments. The vulnerability lies in the Certificate Management feature, where improper input validation leaves the door open for abuse.
According to the advisory, “A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system”.
The attack vector requires valid credentials, but the barrier to entry is relatively low—an attacker only needs an account with the “video operator” role. Once authenticated, they can send a crafted HTTP request to upload malicious files.
The potential impact is catastrophic. “The malicious files could overwrite system files that are processed by the root system account and allow arbitrary command execution with root privileges,” the report warns.
The second advisory, CVE-2026-20119 (CVSS 7.5), affects Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software. This vulnerability is a Denial of Service (DoS) threat that stems from the text rendering subsystem.
The flaw allows an “unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device”.
What makes this particularly dangerous is that it requires no user interaction. An attacker can trigger the crash simply by “getting the affected device to render crafted text, for example, a crafted meeting invitation”. The victim doesn’t even need to accept the invite; the mere act of the device processing the text is enough to force a reload, disrupting communications.
Cisco has released patches for both vulnerabilities.
- For Cisco Meeting Management, users on release 3.12 and earlier are vulnerable and must update to 3.12.1 MR or later.
- For TelePresence CE and RoomOS, the fix depends on the deployment (on-premises vs. cloud), with fixed releases available for RoomOS October 2025, December 2025, and specific firmware versions like 11.27.5.0 and 11.32.3.0.
With one flaw offering root access and the other capable of crashing endpoints with a single invite, administrators are urged to patch these systems immediately to keep their meetings running securely.
Related Posts:
- Critical Security Flaw in Cisco Expressway Series and Cisco TelePresence VCS
- High Flaws in Cisco Expressway Series and Cisco TelePresence Video Communication
- Zero-Click Calendar Invite: Critical macOS Vulnerability Chain Uncovered
- OpenAI announces a bug bounty program, providing a bug bounty ranging from $200 to $20,000
Donate