Critical vulnerability in Cisco IOS XE Wireless Controller allows arbitrary file upload
Take action: If you are running Cisco wireless controllers, review the advisory and run the checks for the Out-of-Band AP Image Download. If it's active, disable the feature immediately, and plan a patch cycle.
Learn More
Cisco has addressed a critical security vulnerability in its IOS XE Wireless Controller Software that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system, potentially leading to complete compromise of the device.
This flaw is tracked as CVE-2025-20188 (CVSS score 10.0) is in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). It's caused by the presence of a hard-coded JSON Web Token (JWT) on affected systems. By sending crafted HTTPS requests to the AP image download interface, an attacker could exploit this vulnerability to upload files, perform path traversal, and execute arbitrary commands with root privileges. For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device, which is not enabled by default.
The vulnerability impacts the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software for WLCs and have the Out-of-Band AP Image Download feature enabled:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
To determine whether a device is configured with the Out-of-Band AP Image Download feature enabled, administrators can use the command show running-config | include ap upgrade. If the command returns ap upgrade method https, the feature is enabled and the device is affected by this vulnerability.
On May 7, 2025, Cisco released software updates that address this vulnerability as part of its May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. The company strongly recommends that customers upgrade to the fixed software versions as soon as possible, as there are no workarounds that directly address this vulnerability.
Update - as of 29th of May 2025, Horizon3 published an analysis with a detailed exploitation information, significantly increasing the risk of attacks. While the research does not provide a complete ready-to-run exploit, it contains sufficient technical details that skilled attackers or automated tools could use to develop working exploits. The analysis reveals that the vulnerability exists due to a hardcoded JWT fallback secret ("notfound") used by backend Lua scripts combined with insufficient path validation in the upload endpoints.
While there are no direct workarounds for this vulnerability, as a mitigation, administrators can disable the Out-of-Band AP Image Download feature. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed.
