Command Injection Vulnerability in Cisco IOS XE Software's Web Management Interface
CVE-2025-20186

8.8HIGH

Key Information:

Vendor
Cisco
Status
Cisco iOS Xe Software
Vendor
CVE Published:
7 May 2025

Badges

👾 Exploit Exists

Summary

A command injection vulnerability exists in the web-based management interface of Cisco IOS XE Software, allowing an authenticated remote attacker with a lobby ambassador user account to execute arbitrary CLI commands. This risk arises from inadequate input validation, permitting crafted input to be sent to the interface. A successful attack could enable execution of commands with privilege level 15, provided the attacker possesses the credentials for the lobby ambassador account, which is not configured by default. Organizations using affected Cisco devices should take steps to mitigate this threat.

Affected Version(s)

Cisco IOS XE Software 16.12.8

Cisco IOS XE Software 16.12.4

Cisco IOS XE Software 16.12.4a

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-20186 : Command Injection Vulnerability in Cisco IOS XE Software's Web Management Interface | SecurityVulnerability.io