Recent disclosures regarding a critical vulnerability in Cisco IOS XE Wireless LAN Controllers (WLC) have raised significant cybersecurity concerns. This flaw, identified as CVE-2025-20188, poses an arbitrary file upload risk that could be exploited by attackers, emphasizing the urgent need for proactive security measures.
The research conducted by Horizon3 has provided essential technical insights into this vulnerability, though it stops short of offering a direct proof of concept for a remote code execution (RCE) exploit. Nevertheless, the details shared create a sufficient foundation for skilled adversaries to potentially develop an exploit. Therefore, immediate action is imperative to safeguard at-risk devices.
Understanding the Cisco IOS XE WLC Vulnerability
Cisco officially announced this critical vulnerability on May 7, 2025, indicating that it allows remote attackers to gain complete control over targeted devices. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT), which grants unauthenticated remote attackers the ability to upload files, exploit path traversal, and execute commands with elevated (root) privileges.
This vulnerability, CVE-2025-20188, is particularly concerning when the ‘Out-of-Band AP Image Download’ feature is enabled. The following Cisco hardware models are identified as being vulnerable:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controllers on Catalyst access points (APs)
Horizon3’s Exploitation Strategy
The analysis from Horizon3 reveals that the vulnerability is primarily due to a hardcoded JWT fallback secret (“notfound”) utilized by backend Lua scripts managing file upload endpoints, combined with insufficient path validation controls. Specifically, when the ‘/tmp/nginx_jwt_key’ file is absent, scripts default to using the insecure “notfound” string for JWT verification.
This defaulting behavior exposes the system to malicious actors who can forge valid JWT tokens without knowledge of the actual secret. By employing the ‘HS256’ algorithm alongside this hardcoded string, attackers effectively bypass security mechanisms.
In a detailed demonstration, Horizon3 illustrates how an attacker can send an HTTP POST request to the ‘/ap_spec_rec/upload/’ endpoint on port 8443, exploiting filename path traversal to upload a harmless file (e.g., foo.txt) to a directory outside the intended file storage area.
Requesting JWT Regeneration Using a Hardcoded Secret
Source: Horizon3
This file upload vulnerability can be escalated to achieve remote code execution by overwriting critical configuration files used by backend services, uploading web shells, or manipulating monitored files to instigate unauthorized activities. Horizon3 showcases an attack that disrupts the ‘pvp.sh’ service, which monitors specified directories. By overwriting the service’s essential configuration files, attackers can commandeer the reload mechanism to execute their commands.
To mitigate the risk of exploitation, it is strongly advised that users upgrade to a patched version (17.12.04 or newer) at the earliest opportunity. In the interim, system administrators are encouraged to disable the Out-of-Band AP Image Download feature to minimize exposure to potential threats.
Continuing manual patching processes is becoming insufficient in today’s cyber landscape. As attacks evolve, modernization through automation is critical for achieving efficient and effective vulnerability management. To illustrate this shift, join Kandji and Tines on June 4 for insights into how dynamic security teams are leveraging automation to patch vulnerabilities swiftly, reduce risks, and maintain compliance without relying on complex scripts.