Cisco Patches Critical Flaw in IOS XE Wireless Controller Allowing Remote File Uploads
Cisco has released security updates to fix a critical vulnerability in its IOS XE Wireless Controller software that could allow unauthenticated remote attackers to upload arbitrary files to vulnerable systems.
The flaw, identified as CVE-2025-20188, carries a CVSS severity score of 10.0, the highest possible rating.
According to Cisco’s advisory issued Wednesday, the issue stems from a hard-coded JSON Web Token (JWT) present on affected systems. Exploiting the flaw involves sending specially crafted HTTPS requests to the access point (AP) image download interface. If successful, attackers could upload files, perform path traversal, and execute commands with root-level access.
However, exploitation requires that the Out-of-Band AP Image Download feature be enabled, and this feature is disabled by default.
The following products are impacted if running a vulnerable release with the feature enabled:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst Access Points
While upgrading to a patched version is strongly recommended, Cisco suggests disabling the vulnerable feature as a temporary mitigation. With it disabled, AP image updates will default to the CAPWAP method, which doesn’t affect the AP client state.
Cisco credited X.B. from its Advanced Security Initiatives Group (ASIG) for identifying the bug during internal testing. So far, there is no evidence of active exploitation in the wild.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
