Cisco IOS XE Software Web-Based Management Interface Command Injection Vulnerability

SecurityVulns
Yanac

A vulnerability in the web-based management interface of the Wireless LAN Controller feature of Cisco IOS XE Software could allow an authenticated, remote attacker with a <em>lobby ambassador</em> user account to perform a&nbsp;command injection attack against an affected device.<br><br>
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary Cisco IOS XE Software CLI commands with privilege level 15.<br><br>
<strong>Note</strong><strong>:</strong> This vulnerability is exploitable only if the attacker obtains the credentials for a <em>lobby ambassador </em>account. This account is not configured by default.<br><br>

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br>
This advisory is available at the following link:<br><a href=”https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-gVn3OKNC”>https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-gVn3OKNC</a><br><br>

This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href=”https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279″>Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br>

<br/>Security Impact Rating: High

<br/>CVE: CVE-2025-20186Cisco Security AdvisoryRead More