Technical details about maximum-seriousness Cisco iOS XE WLC have been tracked as an arbitrary file upload defect CVE-2025-20188, made publicly available, bringing us closer to a working exploitation.
Horizon3 does not have the ‘Ready-to-Run’ evidence of the concept RCE explute script by researchers, but it provides sufficient information for an LLM to fill a skilled attacker or even missing pieces.
Given the immediate risk of weapons and comprehensive use in attacks, it is recommended that the affected users take action to protect their closing points now.
Cisco iOS XE WLC Dosha
Cisco revealed significant defects in iOS XE software for wireless lan controllers on May 7, 2025, allowing an attacker to handle equipment.
The seller stated that it is caused by a hard-coded JSON web token (JWT) that allows an informal, remote attacker to upload files, travelers, travelers and perform arbitrary commands with root privileges.
Bulletin stated that CVE-2025-20188 is only dangerous when the ‘out-of-band AP image download’ facility is capable on the device, in the event, in which, the following devices are at risk:
- Catalyst 9800-CL Wireless Controller for Cloud
- Catalyst 9800 Cataly
- Catalyst 9800 series wireless controller
- Embedded wireless controller on catalyst AP
An attack of Kshitij 3
Horizon 3 Analysis Shows that defects are present due to the hardcoded JWT Folwaccrate (“NOTFOND”) used by the backnd Lua script for joint upload andpoints with insufficient path verification.
In particular, the backnd uses the Openresti (Lua + Nginx) script to validate the JWT tokens and handle the file upload, but if the ‘/TMP/NGINX_JWT_Key’ file is missing, then the script returns to “NotFound” as a mystery to verify the script JWTS.
This originally allows the attackers to generate legitimate tokens without knowing any secrets using ‘HS256’ and ‘Notfound’.
The example of Horizon3 sends an HTTP post request with the file uploads on ‘/AP_SPEC_REC/’ endpoint through port 8443 and uses file name traverse to release a spontaneous file (foo.txt) outside the intended directory.
.jpg)
Source: Horizon 3
To increase the file upload defect for remote code execution, the attacker can direct the configuration files loaded by backand services, drop web shells, or misuse files to trigger unauthorized tasks.
The example of Kshitij 3 misuses ‘Pvp.sh’ service that monitors specific directors, depending on it, it depends, and triggers a re -load to run the attacker command.
Given the high risk of exploitation, users are recommended to upgrade to a patched version (17.12.04 or new) at the earliest.
As a temporary work-round, the admins can turn off out-of-band image download feature to close the weak service.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
