Cisco has released a patch for CVE-2025-20188, a critical vulnerability (CVSS 10.0) in IOS XE Wireless Controller software. The flaw allows unauthenticated remote attackers to upload arbitrary files and execute commands with root-level privileges.
The root cause is a hard-coded JSON Web Token (JWT) embedded in affected systems. Attackers can exploit this by sending crafted HTTPS requests to the AP image download interface.
Exploitation Conditions
The vulnerability is only exploitable when the Out-of-Band AP Image Download feature is enabled. This setting is disabled by default.
Affected Cisco Products
Devices running a vulnerable release with the feature enabled include:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300/9400/9500 Series
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst Access Points
Mitigation and Recommendations
Cisco advises all customers to update to a fixed software version.
As an interim measure, disabling the Out-of-Band AP Image Download feature blocks the exploit path. In this case, devices will revert to the CAPWAP method for image downloads, which is not affected.
Discovery and Exploitation Status
The vulnerability was reported internally by X.B. from Cisco’s Advanced Security Initiatives Group (ASIG). Cisco has confirmed that there is no evidence of exploitation in the wild at the time of disclosure.