Experts Published a Detailed Analysis of Cisco IOS XE WLC Flaw CVE-2025-20188

A critical vulnerability in Cisco IOS XE Wireless LAN Controllers (WLCs), tracked as CVE-2025-20188, has been made public by experts. The flaw allows an unauthenticated, remote attacker to load arbitrary files on a vulnerable system, raising the risk of exploitation soon.

Technical Details Revealed

In early May, Cisco released software updates to address the vulnerability, which carries a CVSS score of 10. An attacker can exploit this flaw by sending crafted HTTPS requests to the AP image download interface, potentially gaining root access and executing arbitrary commands.

The vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. According to the advisory, "A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system."

Experts from Horizon3 discovered the vulnerability and reported that it is caused by a hardcoded fallback secret ("notfound") and weak path validation. If the system's JWT key file is missing, it defaults to using "notfound" to verify tokens, making it easy for attackers to create valid tokens without knowing any real secret.

Risk of Exploitation

The Out-of-Band AP Image Download feature must be enabled for the vulnerability to be exploited. However, Cisco points out that this feature is disabled by default. The company states that no workaround exists, but the vulnerability can be mitigated by disabling the Out-of-Band AP Image Download feature.

Cisco urges users to disable the feature until a fix is applied, but they must assess the impact on their environment first. At the time of disclosure, the Cisco Product Security Incident Response Team (PSIRT) stated that it was not aware of any active exploitation in the wild.

How the Vulnerability Works

In summary, an attacker can exploit this flaw by targeting a file upload feature on port 8443. The loophole allows attackers to sneak files outside the intended directory and gain remote code execution by overwriting configuration files or hijacking services like pvp.sh that automatically act on certain files.

Horizon3 researchers discovered an internal process management service (pvp.sh) that waits for files to be written to a specific directory. Once a change is detected, it can trigger a service reload based on the commands specified in the service's config file.

Precautions and Mitigation

Experts recommend disabling the Out-of-Band AP Image Download feature until a fix is applied. Users must assess the impact of this action on their environment first. It is also recommended to keep software up-to-date and monitor systems for suspicious activity.

Follow us on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, Cisco IOS XE WLC)