Public Disclosure of Exploit Details for Critical Cisco IOS XE Vulnerability

Technical details regarding a critical vulnerability in Cisco IOS XE for Wireless LAN Controllers, identified as CVE-2025-20188, have been disclosed. This flaw enables unauthorized file uploads and arbitrary command execution, posing a significant risk.

The revelation was made by researchers from Horizon3, who outlined that while a direct proof of concept exploit is not available, the technical specifics provided could allow skilled attackers or AI tools to construct a functional exploit.

Cisco first acknowledged this flaw on May 7, 2025, highlighting its potential to allow attackers to hijack devices. The vulnerability results from a hard-coded JSON Web Token (JWT) that permits unauthenticated remote attackers to upload files and execute commands with root privileges when specific conditions are met.

The CVE-2025-20188 vulnerability is particularly concerning when the ‘Out-of-Band AP Image Download’ feature is active. The affected Cisco device models include:

– Catalyst 9800-CL Wireless Controllers for Cloud
– Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
– Catalyst 9800 Series Wireless Controllers
– Embedded Wireless Controller on Catalyst APs

Horizon3’s examination reveals that the issue stems from a hardcoded JWT fallback secret, “notfound,” used by backend Lua scripts for upload endpoints, compounded by inadequate path validation. The backend, which utilizes OpenResty (Lua + Nginx) scripts for JWT validation and file handling, resorts to this string in the absence of a proper JWT key file.

This flaw essentially allows attackers to generate valid tokens without knowledge of the actual secrets, using ‘HS256’ with “notfound” as the key.

Horizon3 demonstrated this vulnerability by sending an HTTP POST request to the ‘/apspecrec/upload/’ endpoint on port 8443, employing filename path traversal to upload a benign file (foo.txt) outside the intended directory.

.jpg)

To escalate the file upload vulnerability to remote code execution, an attacker could overwrite essential configuration files utilized by backend services, deploy web shells, or exploit monitored files to instigate unauthorized actions.

In their analysis, Horizon3 showed that by leveraging the ‘pvp.sh’ service, which tracks certain directories, the attacker could manipulate configuration files necessary for service operation, thus triggering commands of their choosing.

In light of this elevated risk of exploitation, it is imperative for users to upgrade to a patched version (17.12.04 or newer) at the earliest opportunity. As a temporary mitigation measure, system administrators are advised to disable the Out-of-Band AP Image Download feature to mitigate exposure to this vulnerability.