IOS XE WLC: hard-coded JSON Web Token in Out-of-Band AP Image Download feature (CVE-2025-20188) #shorts
Summary
In today’s episode we unpack CVE-2025-20188, a critical vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. A hard-coded JSON Web Token in the Out-of-Band Access Point Image Download feature can be abused by an unauthenticated, remote attacker to upload arbitrary files, traverse the filesystem, and execute commands as root. Cisco published the advisory on May 7, 2025, and released patches within 24 hours.
Product details
This issue affects Cisco IOS XE Software releases 17.7.1, 17.8.1, 17.9.1 through 17.9.5 (including 17.9.4a), 17.10.1/1b, 17.11.1/99SW, 17.12.1–17.12.3, 17.13.1, and 17.14.1 running on Wireless LAN Controllers. The vulnerable component is the Out-of-Band AP Image Download feature, which is disabled by default and is only active if explicitly enabled by an administrator.
Vulnerability type summary
CVE-2025-20188 is categorized as a Use of Hard-coded Credentials vulnerability. A static JSON Web Token baked into the code grants implicit trust, allowing anyone who can reach the HTTPS image-download API to impersonate a legitimate client. This flaw bypasses authentication controls, opening doors to file upload, path traversal, and remote code execution.
Details of the vulnerability
An attacker sends crafted HTTPS requests to the AP Image Download interface, presenting the hard-coded JWT to pass authentication. Once accepted, the attacker can upload arbitrary files—potentially web shells or custom scripts—then abuse path traversal sequences to overwrite system binaries or place scripts in startup paths. Finally, by triggering those files, they gain root-level command execution. Though the feature must be enabled to exploit, many administrators enable it for out-of-band firmware management without realizing the embedded token. Cisco’s fixes involve removing the hard-coded token, adding proper authentication, and sanitizing file paths. Patches are available now, and administrators should verify firmware versions and disable the Out-of-Band feature if unused.
Conclusion
CVE-2025-20188 underscores the danger of hard-coded credentials in network infrastructure. Even features meant for convenience can introduce critical backdoors if not designed securely. If you manage Cisco Wireless LAN Controllers, immediately install the vendor’s patches or disable the Out-of-Band AP Image Download feature. Review your device configurations, restrict management interfaces, and maintain a rapid patch cycle to reduce exposure. Stay safe and stay tuned for more security updates.
Watch the full video on YouTube: CVE-2025-20188
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
- [2025-05-08] Cisco releases patches for a critical vulnerability in IOS XE Wireless Controller that could allow remote file uploads.
- [2025-05-08] Cisco IOS XE has a critical vulnerability in the Access Point Image Download Feature that can be exploited over the network.
- [2025-05-12] Cisco released software fixes for a critical vulnerability in its IOS XE Software for Wireless LAN Controllers, tracked as CVE-2025-20188.
- [2025-05-12] Cisco released software fixes for a high-risk vulnerability in its IOS XE Software for Wireless LAN Controllers, tracked as CVE-2025-20188.