May 9th, 2025
Who:
Cisco has identified a critical vulnerability (CVE-2025-20188) in its IOS XE Wireless Controllers. With a CVSS score of 10.0, this flaw was found to affect the following products when running vulnerable releases with the Out-of-Band AP Image Download feature enabled:
Catalyst 9800-CL Wireless Controllers for Cloud
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst AP's
What:
The vulnerability arises from a hard-coded JSON Web Token (JWT) present on affected systems. An unauthenticated, remote attacker could exploit this by sending crafted HTTPS requests to the AP image download interface, potentially allowing them to upload arbitrary files, perform path traversal, and execute commands with root privileges. Notably, the Out-of-Band AP Image Download feature must be enabled for exploitation; it is disabled by default.
Impact:
While there is no evidence of active exploitation in the wild, successful exploitation could grant attackers full control over the affected device, where they can then escalate privileges, execute arbitrary code, exfiltrate data, and carry out a variety of other nefarious operations.
Recommendations:
Immediate Patching: Update to the latest software versions provided by Cisco to address this vulnerability.
Verify Vulnerable Feature is Disabled: If immediate patching isn't feasible, ensure the Out-of-Band AP Image Download feature is disabled as a temporary mitigation. This action will revert AP image downloads to use the CAPWAP method, which does not impact the AP client state.
Verify Configuration: Ensure that the Out-of-Band AP Image Download feature remains disabled unless explicitly required.
For detailed information and patch downloads, refer to Cisco's official advisory.
Read the full article Here