Cisco has released software fixes to address a critical vulnerability in its IOS XE Wireless Controller software. This vulnerability, tracked as CVE-2025-20188, has been assigned a maximum severity rating of 10.0 on the Common Vulnerability Scoring System (CVSS). The flaw is caused by the presence of a hard-coded JSON Web Token (JWT) on affected systems, making it vulnerable to exploitation. If successfully exploited, the vulnerability could allow an unauthenticated, remote attacker to upload arbitrary files, perform path traversal, and execute arbitrary commands with root privileges.
Exploitation of the vulnerability requires the attacker to send specially crafted HTTPS requests to the AP image download interface, which is part of the system’s update mechanism. However, the Out-of-Band AP Image Download feature, which must be enabled for successful exploitation, is disabled by default. If this feature is enabled, an attacker can use the flaw to gain root access to a device and potentially compromise it.
The impact of this vulnerability could be significant, as attackers could gain control over critical infrastructure systems.
The vulnerability affects several Cisco products, including Catalyst 9800-CL Wireless Controllers for Cloud and Catalyst 9800 Series Wireless Controllers. Other affected products include the Embedded Wireless Controller on Catalyst APs. Cisco recommends that users upgrade to the latest software version to patch the flaw. As a temporary mitigation, users can disable the Out-of-Band AP Image Download feature, which will force the system to use the CAPWAP method for updates, which is not vulnerable to this particular attack.
Cisco credited X.B., a member of the Cisco Advanced Security Initiatives Group (ASIG), for discovering the vulnerability during internal security testing.
Although the vulnerability is critical, Cisco reported that there is no evidence of this flaw being exploited by malicious actors in the wild. Security professionals are urged to act quickly to mitigate the risk by either applying the patch or disabling the vulnerable feature until they can perform an upgrade.
Reference:
