Cisco has released software patches to fix a critical security flaw, CVE-2025-20188, affecting its IOS XE Wireless Controller software. With a maximum CVSS score of 10.0, the vulnerability could enable unauthenticated remote attackers to gain full root access to impacted systems. Review this Cybersecurity Threat Advisory to learn how to protect your environment from exploitation.
What is the threat?
The vulnerability lies in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). It arises from a hard-coded JSON Web Token (JWT) on affected systems. An attacker could bypass authentication by sending specially crafted HTTPS requests to the AP image download interface and using the hard-coded JWT. If exploited successfully, this flaw could allow the attacker to upload arbitrary files, potentially leading to the execution of malicious code with elevated privileges.
Why is this noteworthy?
This vulnerability is critical because it could allow unauthenticated attackers to execute commands with root-level privileges. It affects specific Cisco IOS XE Software versions used in widely deployed Wireless LAN Controllers. The presence of a hard-coded JWT makes it particularly dangerous and difficult to mitigate without patching.
What is the exposure or risk?
A successful exploitation of this vulnerability could enable an attacker to upload files, perform path traversal, and execute arbitrary commands with root-level privileges.
However, for the exploit to be effective, the Out-of-Band AP Image Download feature must be enabled on the device. It is disabled by default. The following products are impacted if they are running a vulnerable software release and have the Out-of-Band AP Image Download feature enabled:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
What are the recommendations?
Barracuda recommends that organizations take the following steps to mitigate their risks against this vulnerability:
- Limit access to the AP image download interface to trusted networks and authorized users.
- Use monitoring tools to detect suspicious behavior or unauthorized access attempts.
- Update software and firmware regularly to defend against known vulnerabilities.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/05/cisco-patches-cve-2025
- https://thecyberexpress.com/cisco-patches-cve-2025-20188/
- https://hide.me/en/blog/cisco-addresses-critical-vulnerability-in-ios-xe-wireless-controllers/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.