Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.
The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system.
“This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system,” the company said in a Wednesday advisory.
“An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.”
That said, in order for the exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It’s disabled by default.
The following products are affected, if they have a vulnerable release running and have the Out-of-Band AP Image Download feature turned on –
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
While updating to the latest version is the best course of action, as temporary mitigations, users can disable the feature until an upgrade can be performed.
“With this feature disabled, AP image download will use the CAPWAP method for the AP image update feature, and this does not impact the AP client state,” Cisco added.
The networking equipment major credited X.B. of the Cisco Advanced Security Initiatives Group (ASIG) for discovering the reporting the bug during internal security testing. There is no evidence that the vulnerability has been maliciously exploited in the wild.
