Cisco IOS XE Wireless Controller Software Unauthorized User Deletion Vulnerability

🚨 SEVERITY: MEDIUM — CVSS 6.5 Security Advisory

TL;DR 📌

A vulnerability in the Cisco IOS XE Wireless Controller Software allows authenticated remote attackers to delete user accounts, including those with administrative privileges. This issue arises from insufficient access control in the lobby ambassador web interface. No workarounds are available, but Cisco has released software updates to address the vulnerability.

What happened 🕵️‍♂️

Cisco has identified a vulnerability in the lobby ambassador web interface of its IOS XE Wireless Controller Software. This flaw enables authenticated attackers to remove arbitrary user accounts from affected devices by exploiting insufficient access control. The vulnerability can only be exploited if the attacker has obtained credentials for a lobby ambassador account, which is not configured by default.

Affected products 🖥️

The following Cisco products are affected if they are running a vulnerable release of Cisco IOS XE Wireless Controller Software and have lobby ambassador user accounts enabled:

  • Catalyst 9800-CL Wireless Controllers for Cloud
  • Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches
  • Catalyst 9800 Series Wireless Controllers
  • Embedded Wireless Controllers on Catalyst Access Points

Fixed software 🔧

Upgrade to at least the first fixed release in your train (or later):

Product / Release Train First Fixed Release Notes
ISE / ISE-PIC 1.0 Initial public release.

Workarounds 🧯

There are no workarounds that address this vulnerability.

Risk in context 🎯

The vulnerability has a CVSS score of 6.5, categorized as MEDIUM severity. While it requires authenticated access to exploit, the potential to delete user accounts, including those with administrative privileges, poses a significant risk to network security.

Fast facts ⚡

  • Vulnerability ID: CVE-2025-20190
  • CVSS Score: 6.5 (MEDIUM)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • Exploitation: Requires valid lobby ambassador credentials
  • No workarounds available

For leadership 🧭

It is crucial for organizations using affected Cisco products to assess their exposure to this vulnerability and apply the necessary software updates. Given the potential for unauthorized user deletion, prompt action is recommended to safeguard network integrity. For further information and guidance, consult the Cisco Security Advisories page and consider engaging with Cisco Technical Assistance Center (TAC) for support.