CVE-2025-20190Improper Access Control in Cisco IOS XE Software

CWE-284Improper Access Control4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 77.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMay 7

Description

A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device. This vulnerability is due to insufficient access control of actions executed by lobby ambassador users. An attacker could exploit this vulnerability by logging in to an affected device with a lobby ambassador user account and sending crafted HTTP requests to the API. A successful exploit

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software7 versions+6
NVDcisco/ios_xe7 versions+6

🔴Vulnerability Details

2
CVEList
CVE-2025-20190: A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to re2025-05-07
GHSA
GHSA-q4xx-mxw3-33fm: A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to re2025-05-07

📋Vendor Advisories

1
Cisco
Cisco IOS XE Wireless Controller Software Unauthorized User Deletion Vulnerability2025-05-07
CVE-2025-20190 — Improper Access Control in Cisco | cvebase