Alerts

Cisco Meeting Management Vulnerability Allows Authenticated Attackers to Gain Root Access

Zero Day Wire

05 Feb 2026 — 1 min read

Cisco has released a security advisory for CVE-2026-20098, a high-severity vulnerability in Cisco Meeting Management that allows authenticated remote attackers to upload arbitrary files, execute commands, and escalate privileges to root.

The flaw carries a CVSS score of 8.8 and affects all versions of Cisco Meeting Management prior to 3.12.1 MR. No workarounds are available — patching is the only remediation.

Vulnerability Details

The vulnerability exists in the Certificate Management feature of the web-based management interface due to improper input validation. An attacker with valid credentials for a user account with at least the "video operator" role can send a crafted HTTP request to upload arbitrary files to the system.

The uploaded files can overwrite system files processed by the root account, enabling arbitrary command execution with root privileges. This effectively grants complete control over the affected server.

Affected Versions

All Cisco Meeting Management releases 3.12 and earlier are vulnerable regardless of device configuration.

Fixed Release: 3.12.1 MR

Exploitation Status

Cisco PSIRT is not aware of any public announcements or malicious exploitation of this vulnerability in the wild.

Discovery

The vulnerability was reported by the NATO Cyber Security Centre Penetration Testing Team.

Recommendation

Organizations running Cisco Meeting Management should upgrade to version 3.12.1 MR immediately. The authentication requirement (video operator role) lowers the attack surface somewhat, but compromised credentials or insider threats could enable exploitation. No workarounds or mitigations are available short of patching.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors