Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable management interface (AV:N/AC:L), but a valid low-privilege authenticated session is required (PR:L); access-control bypass yields full device compromise, hence C:H/I:H/A:H.
Primary rating from Vendor (cisco).
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities.
The vulnerabilities tracked by CVE-2026-20150 are related to improper access control that are grouped under the Common Weakness Enumeration (CWE) Pillar CWE-284.
AnalysisAI
Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold a low-privilege authenticated foothold on the Cisco RoomOS device or its management interface (CVSS PR:L), reachable over the network (AV:N) with no user interaction and low complexity. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8 High) signals a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding full CIA compromise - a serious combination for an endpoint that often sits on trusted corporate networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged authenticated session on a Cisco RoomOS endpoint - for example a compromised local user account or an over-permissioned network-adjacent integration credential - sends crafted requests to a management interface that fails to properly enforce access control. Exploiting the low-complexity flaw, they escalate to administrative control of the device, enabling them to alter configuration, intercept or manipulate meeting media, or disrupt the endpoint. … |
| Remediation | Patch available per vendor advisory: upgrade affected Cisco RoomOS endpoints to the hardened software release described in Cisco Security Advisory cisco-sa-hardening-roomos-AqNMbEq (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hardening-roomos-AqNMbEq); the exact fixed version string is not provided in the available data and should be taken directly from that advisory or the device's Webex Control Hub update channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, conduct a complete inventory of all Cisco RoomOS devices in your environment and implement network segmentation restricting administrative access to authorized personnel only, using firewall rules and VLANs to isolate management functions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cisco Roomos Software
View allMemory-corruption vulnerabilities in Cisco RoomOS Software (the operating system on Cisco/Webex collaboration room endpo
Denial of service in Cisco RoomOS software allows remote unauthenticated attackers to exhaust availability of affected c
Remote denial of service in Cisco RoomOS software allows unauthenticated attackers to exhaust or corrupt a resource over
Denial of service in Cisco RoomOS software allows remote, unauthenticated attackers to disrupt device availability throu
Sensitive information disclosure affects Cisco RoomOS software running on Cisco collaboration room endpoints, where miss
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44715
GHSA-f3fw-7mc3-5vg7