Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because parameters that are received by an API endpoint are not sufficiently validated. An attacker could exploit this vulnerability by authenticating as a Lobby Ambassador user and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to create a new user with privilege level 1 access to the web-based management API. The attacker would then be able to access the device with these new credentials and privileges.
AnalysisAI
Insufficient parameter validation in Cisco IOS XE Software's Lobby Ambassador management API allows authenticated remote attackers to bypass access controls and create unauthorized administrative accounts. An attacker with standard Lobby Ambassador credentials can exploit this flaw to escalate privileges and gain full management API access on affected devices. This impacts Cisco and Apple products and currently has no available patch.
Technical ContextAI
The vulnerability resides in Cisco IOS XE Software's web-based management API, specifically the Lobby Ambassador component which provides limited administrative functionality. The root cause is classified under CWE-1286 (Improper Validation of Syntactic Correctness of Input), meaning the API endpoint receives and processes user-supplied parameters without adequate validation or sanitization before using them in privileged operations such as user creation. The Lobby Ambassador role is designed as a limited-privilege administrative role, but the lack of parameter validation allows attackers to bypass role-based access control (RBAC) enforcement. This affects Cisco IOS XE Software across multiple major versions from 16.11 through 17.18, as identified via the CPE specification cpe:2.3:a:cisco:cisco_ios_xe_software. The vulnerability requires authentication as a Lobby Ambassador user, meaning it cannot be exploited by unauthenticated network attackers, which limits its attack surface.
RemediationAI
Upgrade Cisco IOS XE Software to a patched version released after the advisory publication date (consult https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-lobby-privesc-KwxBqJy for specific fixed versions per major release line). Until patching is complete, implement restrictive network access controls by limiting access to the web-based management API to trusted administrative subnets and VPN endpoints only, enforce mutual TLS (mTLS) for API communications if supported, and review and minimize the number of accounts granted Lobby Ambassador privileges using the principle of least privilege. Additionally, implement robust logging and alerting on API endpoint activity, specifically monitoring for user creation requests from Lobby Ambassador sessions, and consider implementing API rate limiting or request filtering to block suspicious parameter combinations. If available, consult Cisco TAC for interim guidance on disabling the Lobby Ambassador role if it is not actively required in your environment.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15445
GHSA-3855-fjjh-9xh2