Cisco has fixed the maximum severity defect in the iOS XE software for wireless LAN controllers by a hard-coded JSON web token (JWT) that allows an informal remote attacker to handle equipment.
This token is to certify requests for a feature called ‘out-of-band AP image download’. Since it is hard-coded, one can replicate an authorized user without credentials.
The vulnerability has been tracked as the CVE-2025-20188 and has a maximum of 10.0 CVSS score, allowing the danger actors to fully compromise the equipment according to the seller.
“An attacker can take advantage of this vulnerability by sending https requests prepared for AP image download interface,” Reads Cisco’s bulletin,
“A successful exploitation may allow the attacker to upload files, travelers and execute arbitrary command with root privileges.”
It is noted that the CVE-2025-20188 is only exploitative when the ‘out-of-band AP image download’ facility is capable on the device, which is not capable of default.
The ‘out-of-band AP image download’ feature allows Access points (APS) to download OS images through HTTPS instead of Capawap Protocol, which is a more flexible and direct way to get firmware on APS.
He said, although it is disabled by default, some large -scale or automatic enterprise deployment can enable it to provide a rapid provision or recovery of APS.
The following equipment are insecure for the following equipment when meeting exploitation requirements:
- Catalyst 9800-CL Wireless Controller for Cloud
- Catalyst 9800 Cataly
- Catalyst 9800 series wireless controller
- Embedded wireless controller on catalyst AP
On the other hand, products have been confirmed not to be affected by the hard-coded JWT issue: Cisco iOS (non-XE), Cisco iOS XR, Cisco Merki Products, Cisco NX-OS, and Cisco Ares-based WLC.
Cisco has issued security updates to address important vulnerabilities, so system administrators are advised to implement them as soon as possible.
Users can determine the exact version that fixes the defect for its device using Cisco software checkers for its specific device models.
Although there are no mitigations or workarounds for the CVE-2025-20188, it is a solid defense to disable the ‘out-of-band AP image download’ feature.
At this time, Cisco is unaware of any case of active exploitation for CVE-2015-20188. However, given the severity of the issue, the danger actors are likely to start scanning for weak closing points immediately.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
