CISCO has issued patches for two major Cisco collaboration platforms after critical flaws could let attackers seize meeting management systems or crash endpoints.
The high-severity CVE-2026-20098 carries a CVSS 8.8 and affects Cisco Meeting Management, where a vulnerability in the Certificate Management feature could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system, with the attack needing only a video operator account and a crafted HTTP request.
The second advisory, CVE-2026-20119 (CVSS 7.5), impacts Cisco TelePresence Collaboration Endpoint Software and Cisco RoomOS, enabling an unauthenticated, remote attacker to cause a denial of service by prompting the device to render crafted text, such as a crafted meeting invitation, which can trigger a reload without user interaction.
Patches are available for both flaws; for Cisco Meeting Management, update to release 3.12.1 MR or later, and for TelePresence CE and RoomOS, fixes vary by deployment, with RoomOS updates indicated for October 2025 and December 2025 and firmware versions such as 11.27.5[.]0 and 11.32.3[.]0. Administrators are urged to apply the updates promptly to keep meetings running securely. According to the advisory, the first flaw could allow root privileges, underscoring the urgency of the remediation.