Cisco Addresses Critical IOS XE Vulnerability Allowing Potential Device Hijacking

Cisco has addressed a high-severity vulnerability in IOS XE Software affecting Wireless LAN Controllers. This flaw, identified as CVE-2025-20188, involves a hard-coded JSON Web Token (JWT) which enables unauthenticated remote attackers to gain control of affected devices.

The JWT’s purpose is to authenticate requests for the ‘Out-of-Band AP Image Download’ feature, but its hard-coded nature means that attackers can easily mimic authorized users without requiring any credentials. The vulnerability has received a CVSS score of 10.0, indicating its critical severity and the potential for full device compromise.

Exploitation of this vulnerability is executed by sending specially crafted HTTPS requests to the AP image download interface. A successful attack could permit the uploading of arbitrary files, enable path traversal, and allow execution of arbitrary commands with root privileges.

It is important to note that CVE-2025-20188 is exploitable only when the ‘Out-of-Band AP Image Download’ feature is enabled on the device, which is not activated by default. This feature allows access points (APs) to download operating system images via HTTPS, offering a streamlined method for updating firmware.

While this feature is disabled by default, certain large-scale or automated enterprise configurations may enable it to expedite provisioning or recovery processes for access points. The following devices may be vulnerable if the ‘Out-of-Band AP Image Download’ is enabled:

– Catalyst 9800-CL Wireless Controllers for Cloud
– Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
– Catalyst 9800 Series Wireless Controllers
– Embedded Wireless Controller on Catalyst APs

Conversely, the hard-coded JWT issue does not impact Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki products, Cisco NX-OS, and Cisco AireOS-based WLCs.

Cisco has released security updates to remediate this critical vulnerability, and it is strongly recommended that system administrators apply these updates promptly. Users can verify the specific version that resolves the vulnerability for their device using the Cisco Software Checker tailored to their model.

Currently, no active exploitation of CVE-2025-20188 has been reported. However, given the vulnerability’s severity, it is anticipated that attackers will begin scanning for exposed endpoints imminently. As a preventive measure, disabling the ‘Out-of-Band AP Image Download’ feature is advised until updates can be applied.