- Cisco has patched a 10/10 flaw in IOS XE Software for Wireless LAN Controllers
- The flaw was due to hardcoded tokens
- There is no evidence of abuse in the wild (yet)
Cisco has released a patch for a maximum-severity flaw found in its IOS XE Software for Wireless LAN Controllers which could have allowed threat actors to take over vulnerable endpoints.
The flaw is yet another case of hardcoded credentials, this time in the form of a JSON Web Token (JWT). “An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface,” it is explained in the NVD website. “A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.”
The vulnerability is now tracked as CVE-2025-20188, and has the maximum security score – 10/10 (critical).
No mitigations
It was also noted that the vulnerability can only be exploited on devices that have the Out-of-Band Image Download feature enabled which, on default settings, is not the case.
According to BleepingComputer, this is a feature that allows access points to download OS images via HTTPS instead of CAPWAP, which is a somewhat more flexible and direct way of getting firmware onto access points.
The publication says that while it’s off by default, some large-scale or automated enterprise deployments have turned it on.
Unfortunately, there are no mitigations for the flaw. The best way to minimize the risk of exposure is to deploy the patch. A possible workaround is to disable the Out-of-Band Image Download feature, which could work well if the enterprise isn’t actually using it.
Cisco said it hasn’t seen evidence of in-the-wild abuse just yet, but users should still be on their guard.
Here is a list of vulnerable devices:
Catalyst 9800-CL Wireless Controllers for Cloud
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst APs
And here is a list of devices that are safe to use:
Cisco IOS (non-XE)
Cisco IOS XR
Cisco Meraki products
Cisco NX-OS
Cisco AireOS-based WLCs
Leave a comment