Cisco has fastened a most severity flaw inĀ IOS XE Software program for Wi-fi LAN Controllers by a hard-coded JSON Net Token (JWT) that enables an unauthenticated distant attacker to take over units.
This token is supposed to authenticate requests to a characteristic referred to as ‘Out-of-Band AP Picture Obtain.’ Because it’s hard-coded, anybody can impersonate a certified person with out credentials.
The vulnerability is tracked as CVE-2025-20188 and has a most 10.0 CVSS rating, permitting risk actors to totally compromise units in response to the seller.
“An attacker might exploit this vulnerability by sending crafted HTTPS requests to the AP picture obtain interface,” reads Cisco’s bulletin.
“A profitable exploit might enable the attacker to add information, carry out path traversal, and execute arbitrary instructions with root privileges.”
It’s famous that CVE-2025-20188 is barely exploitable when the ‘Out-of-Band AP Picture Obtain’ characteristic is enabled on the gadget, which is not enabled by default.
The ‘Out-of-Band AP Picture Obtain’ characteristic permits entry factors (APs) to obtain OS photos through HTTPS quite than over the CAPWAP protocol, permitting a extra versatile and direct solution to get firmware onto APs.
That mentioned, though it is disabled by default, some large-scale or automated enterprise deployments could allow it for quicker provisioning or restoration of APs.
The next units are weak to assaults if the exploitation necessities are met:
- Catalyst 9800-CL Wi-fi Controllers for Cloud
- Catalyst 9800 Embedded Wi-fi Controller for Catalyst 9300, 9400, and 9500 Collection Switches
- Catalyst 9800 Collection Wi-fi Controllers
- Embedded Wi-fi Controller on Catalyst APs
However, merchandise confirmed to not be impacted by the hard-coded JWT subject are: Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki merchandise, Cisco NX-OS, and Cisco AireOS-based WLCs.
Cisco has launched safety updates to deal with the essential vulnerability, so system directors are suggested to use them as quickly as doable.
Customers can decide the precise model that fixes the flaw for his or her gadget utilizing the Cisco Software program Checker for his or her particular gadget mannequin.
Though there aren’t any mitigations or workarounds for CVE-2025-20188, disabling the ‘Out-of-Band AP Picture Obtain’ characteristic is a strong protection.
Presently, Cisco is unaware of any circumstances of lively exploitation for CVE-2025-20188. Nonetheless, given the severity of the problem, risk actors are prone to begin scanning for uncovered weak endpoints instantly.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and tips on how to defend in opposition to them.
