Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw
Cisco has released patches for a critical privilege escalation vulnerability in Meeting Management (CVE-2025-20156) and a heap-based buffer overflow flaw (CVE-2025-20128) that, when triggered, could terminate the ClamAV scanning process on endpoints running a Cisco Secure Endpoint Connector.
Proof-of-concept (PoC) exploit code for CVE-2025-20128 is available, Cisco said, but the company is not aware of the vulnerability being exploited in the wild. Credit for reporting the flaw has been given to OSS-Fuzz, Google’s continuous fuzzing program for open source software, which means that the PoC is unlikely to end up online anytime soon.
Nevertheless, users are advised to implement the security updates as soon as possible.
About CVE-2025-20156
Cisco Meeting Management is a tool for monitoring and managing meetings running on Cisco Meeting Server, the company’s on-premises video meeting platform.
CVE-2025-20156 exists because proper authorization is not enforced upon users of the solution’s REST API. This weakness can be used by remote, authenticated attackers with low privileges to elevate privileges to administrator on an affected device, by simply sending API requests to a specific endpoint.
“A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management,” Cisco explained.
The vulnerability affects Cisco Meeting Management versions 3.9 and 3.8 and earlier, and does not affect version 3.10. Since there is not available workaround, admins should upgrade to a fixed version (3.9.1) or to the unaffected one (3.10).
CVE-2025-20156 was reported by Ben Leonard-Lagarde of Bristol-based pentesting outfit Modux.
About CVE-2025-20128
CVE-2025-20128 is a heap buffer overflow bug in the OLE2 file parser used by ClamAV, the open-source anti-malware toolkit maintained by Cisco’s Talos cybersecurity division.
“An attacker could exploit [CVE-2025-20128] by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software,” Cisco explained.
The vulnerability has been fixed in versions 1.4.2 and 1.0.8 of ClamAV, but since ClamAV is leveraged by various Cisco software solutions, the fix has to be propagated.
The company has confirmed that its Secure Email Gateways and Secure Web Appliances are unaffected, but Cisco Secure Endpoint Connectors for Windows, Linux and macOS – distributed from Cisco Secure Endpoint Private Cloud – are, and all of them should be upgraded to a fixed release: 7.5.20 or 8.4.31 (for Windows), 1.25.1 (for Linux), 1.24.4 (for macOS).
Cisco Secure Endpoint Private Cloud is not affected, but should be on version 4.2.0, with updated connectors.
“Updated releases of Cisco Secure Endpoint Connector are available through the Cisco Secure Endpoint portal. Depending on the configured policy, Cisco Secure Endpoint Connector will automatically update,” Cisco says.
“Affected releases of Cisco Secure Endpoint Connector clients for Cisco Secure Endpoint Private Cloud have been updated in the connector repository. Customers will get these connector updates through normal content update processes.”