CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20188
Exploit or Proof of Concept (PoC): No public exploit available at this time.
Update: CVE-2025-20188 – Cisco Security Advisory
Description: CVE-2025-20188 is a critical vulnerability in Cisco IOS XE Software for Wireless LAN Controllers (WLCs). The flaw arises from the presence of a hard-coded JSON Web Token (JWT) on affected systems. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted HTTPS requests to the Access Point (AP) image download interface. Successful exploitation could allow the attacker to upload arbitrary files, perform path traversal, and execute commands with root privileges. The vulnerability specifically affects systems with the Out-of-Band AP Image Download feature enabled, which is disabled by default.
Affected Products:
Mitigation Recommendation: Cisco has released software updates to address this vulnerability. Administrators are strongly advised to apply the provided patches immediately. If immediate patching is not feasible, it is recommended to disable the Out-of-Band AP Image Download feature as a temporary mitigation. Disabling this feature will cause AP image downloads to use the CAPWAP method, which is not affected by this vulnerability..
Note: Given the critical severity and confirmed exploitation, immediate action is necessary to secure exposed Commvault environments. Regular patching and review of external exposure are essential to maintaining secure infrastructure.