Cisco patched a maximum severity, CVSS 10.0, vulnerability in its IOS XE Software for wireless LAN controllers (WLCs).The vulnerability, tracked as CVE-2025-20188, could enable a remote, unauthenticated attacker to upload arbitrary files, achieve path traversal and execute arbitrary commands with root privileges on affected devices, according to a Cisco security advisory published Wednesday.This is due to a hard-coded JSON Web Token (JWT) in the affected software that could enable an attacker to bypass authentication. An attacker with access to this JWT can then send crafted HTTPS requests to the device via the Out-of-Band Access Point (AP) Image Download feature of the Cisco IOS XE Software to upload arbitrary files.The Out-of-Band AP Image Download feature must be enabled for CVE-2025-20188 to be exploited, and it is not enabled by default, Cisco noted. This feature enables software images and configurations to be downloaded to APs via HTTPS rather than the Control and Provisioning of Wireless Access Points (CAPWAP) protocol and is designed for situations where CAPWAP cannot be used, such as when APs are outside of the WLC’s CAPWAP control path.Cisco recommends customers update their IOS XE Software to the latest version to fully resolve the vulnerability. Customers can use the Cisco Software Checker to determine if they are running a vulnerable version and identify which upgrade is needed to fix all vulnerabilities.Products identified as being affected by the vulnerability, if running a vulnerable version of the IOS XE Software with the Out-of-Band IP Image Download feature enabled, are the Catalyst 9800-CL Wireless Controllers for Cloud, the Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches, the Catalyst 9800 Series Wireless Controllers and the Embedded Wireless Controller on Catalyst APs.Users can also determine if the Out-of-Band IP Image Download feature is enabled by running the “show running-config | include ap upgrade” command, which will return “ap upgrade method https” if it is enabled.Turning this feature off is the recommended mitigation for this vulnerability if a patch cannot be immediately installed, which will force all software image downloads to occur via the CAPWAP method. As this could impact the ability for some APs to receive updates, Cisco states that customers “should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.”Cisco software flaws are among the most targeted by attackers due to their critical role in managing organizational networks. Two older vulnerabilities in Cisco IOS XE, tracked as CVE-2023-20198 and CVE-2023-2027, were recently targeted in attacks against U.S. telecommunications companies by the China state-sponsored hacking gang RedMike. CVE-2025-20188 is not believed to have been exploited by attackers in the wild, nor is a public proof-of-concept exploit yet available, according to Cisco.
