Cisco has released a security advisory addressing a critical vulnerability in its IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability, identified as CVE-2025-20188, carries a CVSS score of 10, indicating the highest level of severity.
The advisory warns of a vulnerability in the Out-of-Band Access Point (AP) Image Download feature. This flaw could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. The root cause of this vulnerability is “the presence of a hard-coded JSON Web Token (JWT) on an affected system.”
An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. Successful exploitation could have severe consequences, potentially allowing the attacker to “upload files, perform path traversal, and execute arbitrary commands with root privileges.”
The advisory emphasizes that “for exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device.” This feature is not enabled by default.
The vulnerability affects specific Cisco products running a vulnerable release of Cisco IOS XE Software for WLCs with the Out-of-Band AP Image Download feature enabled. These products include:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
Cisco provides a method to check if the Out-of-Band AP Image Download feature is enabled. Administrators can use the show running-config | include ap upgrade command. If the command returns ap upgrade method https, the feature is enabled, and the device is vulnerable.
Unfortunately, the advisory states that “there are no workarounds that address this vulnerability.” However, as a mitigation, administrators can disable the Out-of-Band AP Image Download feature. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed.
Cisco has released free software updates to address this vulnerability. Customers with service contracts should obtain these security fixes through their usual update channels.
Currently, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.
