Skip to main content

Cisco RoomOS CVE-2026-20150

| EUVDEUVD-2026-44715 HIGH
Improper Access Control (CWE-284)
2026-07-15 cisco GHSA-f3fw-7mc3-5vg7
8.8
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable management interface (AV:N/AC:L), but a valid low-privilege authenticated session is required (PR:L); access-control bypass yields full device compromise, hence C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 16:45 vuln.today
CVE Published
Jul 15, 2026 - 16:17 cve.org
HIGH 8.8

DescriptionCVE.org

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities.

The vulnerabilities tracked by CVE-2026-20150 are related to improper access control that are grouped under the Common Weakness Enumeration (CWE) Pillar CWE-284.

AnalysisAI

Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege authenticated access
Delivery
Reach RoomOS management interface over network
Exploit
Abuse improper access control check
Execution
Escalate to administrative privileges
Impact
Compromise device confidentiality, integrity, and availability

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold a low-privilege authenticated foothold on the Cisco RoomOS device or its management interface (CVSS PR:L), reachable over the network (AV:N) with no user interaction and low complexity. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8 High) signals a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding full CIA compromise - a serious combination for an endpoint that often sits on trusted corporate networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged authenticated session on a Cisco RoomOS endpoint - for example a compromised local user account or an over-permissioned network-adjacent integration credential - sends crafted requests to a management interface that fails to properly enforce access control. Exploiting the low-complexity flaw, they escalate to administrative control of the device, enabling them to alter configuration, intercept or manipulate meeting media, or disrupt the endpoint. …
Remediation Patch available per vendor advisory: upgrade affected Cisco RoomOS endpoints to the hardened software release described in Cisco Security Advisory cisco-sa-hardening-roomos-AqNMbEq (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hardening-roomos-AqNMbEq); the exact fixed version string is not provided in the available data and should be taken directly from that advisory or the device's Webex Control Hub update channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, conduct a complete inventory of all Cisco RoomOS devices in your environment and implement network segmentation restricting administrative access to authorized personnel only, using firewall rules and VLANs to isolate management functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-20150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy