4 min read
By: RedLegg's Cyber Threat Intelligence Team
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES:
Cisco IOS XE Wireless Controller Arbitrary File Upload via Hard-coded JWT
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20188
Exploit or Proof of Concept (PoC): No public exploit available at this time.
Update: CVE-2025-20188 – Cisco Security Advisory
Description: CVE-2025-20188 is a critical vulnerability in Cisco IOS XE Software for Wireless LAN Controllers (WLCs). The flaw arises from the presence of a hard-coded JSON Web Token (JWT) on affected systems. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted HTTPS requests to the Access Point (AP) image download interface. Successful exploitation could allow the attacker to upload arbitrary files, perform path traversal, and execute commands with root privileges. The vulnerability specifically affects systems with the Out-of-Band AP Image Download feature enabled, which is disabled by default.
Affected Products:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst Access Points
- Non-Affected Products:
- IOS Software
- IOS XE Software on devices not functioning as WLCs
- IOS XR Software
- Meraki products
- NX-OS Software
- WLC AireOS Software
Mitigation Recommendation: Cisco has released software updates to address this vulnerability. Administrators are strongly advised to apply the provided patches immediately. If immediate patching is not feasible, it is recommended to disable the Out-of-Band AP Image Download feature as a temporary mitigation. Disabling this feature will cause AP image downloads to use the CAPWAP method, which is not affected by this vulnerability..
Note: Given the critical severity and confirmed exploitation, immediate action is necessary to secure exposed Commvault environments. Regular patching and review of external exposure are essential to maintaining secure infrastructure.
