Published: June 3, 2025
Summary:
A serious vulnerability (CVE‑2025‑20188, CVSS 10.0) has been published publicly, affecting Cisco Wireless LAN Controllers (WLCs) running IOS XE. Attackers can exploit a hard‑coded JWT secret to bypass authentication, allowing arbitrary file uploads and potential remote code execution. All Cisco customers using the affected WLC platforms should immediately apply the patch or disable the vulnerable feature.
What’s the Issue?
- Disclosed on May 7, 2025: affects IOS XE WLCs with Out‑of‑Band AP Image Download enabled.
- Root cause: a hard‑coded JWT fallback secret (
"notfound") in the Lua auth script. - Attackers can generate valid tokens without any credentials using the known secret and HS256.
How It Can Be Exploited
- Send a malicious file to endpoints like
/aparchive/uploador/ap_spec_rec/upload/over port 8443. - Use path traversal to place files outside the upload folder.
- Overwrite WLC system scripts (e.g.,
pvp.sh) to gain root-level code execution.
Affected Devices
- Catalyst 9800 Series Wireless Controllers (9800‑CL, embedded in Catalyst switches)
- Embedded WLC on Catalyst APs
- All running IOS XE 17.12.03 and earlier with the affected feature enabled
Mitigation Recommendations
- Upgrade to IOS XE 17.12.04+ immediately.
- Disable the Out‑of‑Band AP Image Download feature if a patch cannot be applied yet.
- Restrict access to port 8443 to internal IPs only.
- Deploy Wireless Detection and Response tools to detect upload or traversal attempts.
- Continuously monitor WLC file systems and audit logs.
Why It Matters
This is a textbook case of insecure fallback secrets leading to full system compromise. With technical details now public, exploitation attempts are likely to spike. A compromised WLC puts the entire wireless network at risk for lateral movement, data interception, and persistent threat access.
Action Plan for IT Teams
| Task | Deadline | Responsibility |
|---|---|---|
| Apply patch to IOS XE 17.12.04+ | Within 24 hours | Network team |
| Disable OOB AP Image Download | Immediate | Network Operations |
| Restrict port 8443 to trusted IPs | Within 48 hours | Firewall/Security Ops |
| Enable monitoring for upload events | Next maintenance cycle | Security team |
| Audit logs and monitor scripts | Ongoing | SOC/NetSec team |
Bottom Line
CVE‑2025‑20188 is a critical authenticated bypass to full RCE chain that relies on a shocking oversight in token validation. Cisco’s patch is available, and organizations must act now to prevent exploitation. If you need assistance with monitoring or mitigation strategies, feel free to reach out.
Any Wi-Fi attack can now be a remote attack.
— Mathy Vanhoef
The wireless airspace must be treated as a critical part of your attack surface — one that attackers can now reach without ever being nearby. Are you watching your airspace?
→ Need visibility and control? Talk to us at AirEye
Sources: CSO Online, Horizon3.ai, BleepingComputer, Cyber Fraud Centre