Login Sign Up

CVE-2025-20329

4.9 MEDIUM

📋 TL;DR

This vulnerability allows authenticated administrators on Cisco TelePresence and RoomOS systems to view unencrypted credentials in audit logs when SIP media logging is enabled. Attackers with administrative access can obtain credentials they shouldn't have, potentially accessing sensitive information including PII. Only systems with SIP media component logging enabled are affected.

💻 Affected Systems

Products:
  • Cisco TelePresence Collaboration Endpoint (CE)
  • Cisco RoomOS Software
Versions: All versions before the fix
Operating Systems: Cisco RoomOS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when SIP media component logging is enabled. Requires administrative credentials to exploit.

📦 What is this software?

Roomos by Cisco

View all CVEs affecting Roomos →

Telepresence Collaboration Endpoint by Cisco

View all CVEs affecting Telepresence Collaboration Endpoint →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator obtains credentials for other systems/services, accesses confidential data including PII, and potentially moves laterally within the network.

🟠

Likely Case

Administrator discovers and misuses credentials for adjacent systems, leading to unauthorized access to sensitive information.

🟢

If Mitigated

With proper access controls and monitoring, credential misuse is detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires administrative credentials and access to logs (either locally or in Webex Cloud).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-inf-disc-qGgsbxAm

Restart Required: No

Instructions:

1. Review Cisco advisory for affected versions. 2. Update to recommended fixed version. 3. Verify SIP media logging is disabled if not needed.

🔧 Temporary Workarounds

Disable SIP Media Logging

all

Disable SIP media component logging to prevent credential storage in logs

xConfiguration Logging SIPMedia: Off

🧯 If You Can't Patch

  • Disable SIP media component logging immediately
  • Restrict administrative access to only trusted personnel and implement strict monitoring of admin activities

🔍 How to Verify

Check if Vulnerable:

Check if SIP media logging is enabled: xStatus Logging SIPMedia

Check Version:

xStatus SystemUnit Software Version

Verify Fix Applied:

Verify SIP media logging is disabled or system is updated to fixed version

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access to audit logs
  • Multiple failed login attempts followed by successful admin login
  • Unusual credential usage patterns

Network Indicators:

  • Unexpected administrative access to logging interfaces
  • Unusual data exfiltration from logging systems

SIEM Query:

source="cisco-roomos" AND (event="log_access" OR event="admin_login") AND user="administrator"

📊 Metadata

CVE ID: CVE-2025-20329
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-532
EPSS Score: 0.07% exploit probability (20th percentile)
Published: October 15, 2025
Last Updated: December 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20329, you might also want to check these:

CVE-2021-32724 9.9

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers...

Same vulnerability type (CWE-532)
CVE-2022-36407 9.9

This vulnerability allows local users to gain sensitive information through insertion of sensitive d...

Same vulnerability type (CWE-532)
CVE-2025-6391 9.8

Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attacke...

Same vulnerability type (CWE-532)