CVE-2025-20190

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-20190
A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device. This vulnerability is due to insufficient access control of actions executed by lobby ambassador users. An attacker could exploit this vulnerability by logging in to an affected device with a lobby ambassador user account and sending crafted HTTP requests to the API. A successful exploit could allow the attacker to delete arbitrary user accounts on the device, including users with administrative privileges. Note: This vulnerability is exploitable only if the attacker obtains the credentials for a lobby ambassador account. This account is not configured by default.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-user-del-hQxMpUDj
Configurations

No configuration.

History

08 May 2025, 14:39

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en la interfaz web de embajador de lobby del software del controlador inalámbrico Cisco IOS XE podría permitir que un atacante remoto autenticado elimine usuarios arbitrarios definidos en un dispositivo afectado. Esta vulnerabilidad se debe a un control de acceso insuficiente para las acciones ejecutadas por los usuarios de embajador de lobby. Un atacante podría explotar esta vulnerabilidad iniciando sesión en un dispositivo afectado con una cuenta de usuario de embajador de lobby y enviando solicitudes HTTP manipuladas a la API. Una explotación exitosa podría permitir al atacante eliminar cuentas de usuario arbitrarias en el dispositivo, incluyendo usuarios con privilegios administrativos. Nota: Esta vulnerabilidad solo es explotable si el atacante obtiene las credenciales de una cuenta de embajador de lobby. Esta cuenta no está configurada por defecto.

07 May 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-07 18:15

Updated : 2025-05-08 14:39

NVD link : CVE-2025-20190

Mitre link : CVE-2025-20190

CVE.ORG link : CVE-2025-20190

JSON object : View

Products Affected

No product.

CWE
CWE-284

Improper Access Control