CVE-2025-20190

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Wireless Controller Software (affected versions not specified)

Description A vulnerability in the lobby ambassador web interface could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device. This issue is due to insufficient access control of actions executed by lobby ambassador users. An attacker could exploit this by logging in with a lobby ambassador user account and sending crafted HTTP requests to the API, potentially allowing the deletion of arbitrary user accounts, including those with administrative privileges. Note that this vulnerability is exploitable only if the attacker obtains the credentials for a lobby ambassador account, which is not configured by default.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.