cbcvebase.
CVE-2025-20186
published 2025-05-07

CVE-2025-20186: A vulnerability in the web-based management interface of the Wireless LAN Controller feature of Cisco IOS XE Software could allow an authenticated, remote…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.16%
63.1th percentile
A vulnerability in the web-based management interface of the Wireless LAN Controller feature of Cisco IOS XE Software could allow an authenticated, remote attacker with a lobby ambassador user account to perform a command injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary Cisco IOS XE Software CLI commands with privilege level 15. Note: This vulnerability is exploitable only if the attacker obtains the credentials for a lobby ambassador account. This account is not configured by default.

Affected

153 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software

Detection & IOCsextracted from sources · hover to see the quote

  • Detect command injection attempts via the Cisco IOS XE web-based management interface (Wireless LAN Controller feature) originating from authenticated lobby ambassador accounts — look for crafted/unexpected input in web UI requests that may contain CLI command syntax
  • Alert on privilege escalation to privilege level 15 on Cisco IOS XE devices initiated through the web-based management interface, especially when the session is associated with a lobby ambassador account
  • Monitor for the existence or unexpected activation of lobby ambassador accounts on Cisco IOS XE devices — this account type is not present by default and its presence may indicate pre-exploitation staging
  • Track Cisco bug ID CSCwk27168 for patch status; use this identifier to correlate vendor advisories and affected software version lists for IOS XE Wireless LAN Controller deployments
  • ·The vulnerability only exists when the Wireless LAN Controller feature is active on Cisco IOS XE and a lobby ambassador account has been configured — devices without this account are not exploitable
  • ·There are no workarounds available; the only remediation is applying Cisco's software updates

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_cisco8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.