Cisco has issued a security advisory for a critical vulnerability in its IOS XE Software affecting Wireless LAN Controllers (WLCs), which could allow unauthenticated, remote attackers to upload arbitrary files and execute commands with root privileges.

Cisco Catalyst 9800-CL Wireless Controllers affected by CVE-2025-20188

The high severity vulnerability tracked as CVE-2025-20188 (CVSS:10.0), stems from the use of a hard-coded JSON Web Token (JWT) in the Out-of-Band Access Point (AP) Image Download feature. When enabled, this feature exposes an interface that attackers can exploit by sending specially crafted HTTPS requests.

A successful attack could lead to file uploads, path traversal, and arbitrary command execution with the highest system privileges.

Key Details

  • Attack Vector: Remote and unauthenticated
  • Impact: Root-level command execution
  • Conditions: The Out-of-Band AP Image Download feature must be enabled (disabled by default)
  • Fixes Available: Yes
  • Workarounds: No full workaround; mitigation available

Products Affected by CVE-2025-20188

Devices running vulnerable releases of Cisco IOS XE Software for WLCs with the Out-of-Band AP Image Download feature and Affected by CVE-2025-20188 includes:

  • Catalyst 9800-CL Wireless Controllers for Cloud
  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
  • Catalyst 9800 Series Wireless Controllers
  • Embedded Wireless Controller on Catalyst Access Points

Administrators can verify whether the feature is enabled by running the command: show running-config | include ap upgrade.If the output includes ap upgrade method https, the device is vulnerable.

Mitigation of CVE-2025-20188

While there is no direct workaround, Cisco advises disabling the Out-of-Band AP Image Download feature to mitigate the risk. With this feature disabled, AP image downloads revert to using the CAPWAP method, which is not affected by this vulnerability.

However, Cisco cautions that any changes should be tested in the customer’s environment, as configurations and performance may vary.

Cisco has released free software updates to address the vulnerability. Customers with valid service contracts are encouraged to download the updates through official Cisco support channels.

Administrators need to assess their systems immediately, apply the updates, and consider disabling the vulnerable feature until patches can be implemented.

Source: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC

Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity new