Cisco Addresses Critical Vulnerability CVE-2025-20188 (CVSS 10.0) in IOS XE, Enabling Root Exploits through JWT

Cisco has issued software updates to rectify a critical security vulnerability in its IOS XE Wireless Controller. This flaw, identified as CVE-2025-20188, has been assigned a maximum severity rating of 10.0 on the CVSS classification system.

The vulnerability arises from a hard-coded JSON Web Token (JWT) present in affected systems, as detailed in a recent advisory from the company. An attacker can exploit this vulnerability by sending specially crafted HTTPS requests to the Access Point (AP) image download interface. A successful attack could result in unauthorized file uploads, path traversal, and execution of arbitrary commands with root privileges.

For exploitation to occur, the Out-of-Band AP Image Download feature must be enabled on the affected device. Thankfully, this feature is disabled by default.

The following products are vulnerable if they are running a susceptible release with the Out-of-Band AP Image Download feature enabled:

– Catalyst 9800-CL Wireless Controllers for Cloud
– Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
– Catalyst 9800 Series Wireless Controllers
– Embedded Wireless Controller on Catalyst APs

While the best practice is to update to the latest software version, users are advised to disable the Out-of-Band AP Image Download feature temporarily until the necessary upgrades can be applied. With this feature disabled, the AP image download will revert to using the CAPWAP method, which does not affect the state of the AP clients.

Cisco acknowledged the contribution of X.B. from the Cisco Advanced Security Initiatives Group (ASIG) for identifying and reporting the flaw during internal security evaluations. As of now, there is no indication that this vulnerability has been exploited maliciously in the wild.