Skip to main content

Cisco CVE-2026-20114

| EUVDEUVD-2026-15445 MEDIUM
Improper Validation of Syntactic Correctness of Input (CWE-1286)
2026-03-25 cisco GHSA-3855-fjjh-9xh2
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15445
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 16:08 nvd
MEDIUM 5.4

DescriptionCVE.org

A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because parameters that are received by an API endpoint are not sufficiently validated. An attacker could exploit this vulnerability by authenticating as a Lobby Ambassador user and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to create a new user with privilege level 1 access to the web-based management API. The attacker would then be able to access the device with these new credentials and privileges.

AnalysisAI

Insufficient parameter validation in Cisco IOS XE Software's Lobby Ambassador management API allows authenticated remote attackers to bypass access controls and create unauthorized administrative accounts. An attacker with standard Lobby Ambassador credentials can exploit this flaw to escalate privileges and gain full management API access on affected devices. This impacts Cisco and Apple products and currently has no available patch.

Technical ContextAI

The vulnerability resides in Cisco IOS XE Software's web-based management API, specifically the Lobby Ambassador component which provides limited administrative functionality. The root cause is classified under CWE-1286 (Improper Validation of Syntactic Correctness of Input), meaning the API endpoint receives and processes user-supplied parameters without adequate validation or sanitization before using them in privileged operations such as user creation. The Lobby Ambassador role is designed as a limited-privilege administrative role, but the lack of parameter validation allows attackers to bypass role-based access control (RBAC) enforcement. This affects Cisco IOS XE Software across multiple major versions from 16.11 through 17.18, as identified via the CPE specification cpe:2.3:a:cisco:cisco_ios_xe_software. The vulnerability requires authentication as a Lobby Ambassador user, meaning it cannot be exploited by unauthenticated network attackers, which limits its attack surface.

RemediationAI

Upgrade Cisco IOS XE Software to a patched version released after the advisory publication date (consult https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-lobby-privesc-KwxBqJy for specific fixed versions per major release line). Until patching is complete, implement restrictive network access controls by limiting access to the web-based management API to trusted administrative subnets and VPN endpoints only, enforce mutual TLS (mTLS) for API communications if supported, and review and minimize the number of accounts granted Lobby Ambassador privileges using the principle of least privilege. Additionally, implement robust logging and alerting on API endpoint activity, specifically monitoring for user creation requests from Lobby Ambassador sessions, and consider implementing API rate limiting or request filtering to block suspicious parameter combinations. If available, consult Cisco TAC for interim guidance on disabling the Lobby Ambassador role if it is not actively required in your environment.

Share

CVE-2026-20114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy