Cisco has fixed a vulnerability with the highest score in IOS XE Software for Wireless LAN Controllers. The problem was caused by a hardcoded JSON Web Token (JWT), which allowed an attacker without login credentials to remotely take complete control of devices.
This was reported by BleepingComputer. This token was intended for authentication when using the Out-of-Band AP Image Download feature. Because the token was hardcoded into the software, anyone could impersonate an authorized user. The vulnerability is registered as CVE-2025-20188 and received the maximum CVSS score of 10.0, meaning that attackers can completely compromise devices.
According to Cisco, the vulnerability could be exploited by sending specially crafted HTTPS requests to the AP image download interface. A successful attack would allow an attacker to upload files, gain access to other paths on the system, and execute arbitrary commands with root privileges.
The vulnerability can only be exploited if the Out-of-Band AP Image Download feature is enabled. This feature is disabled by default. It allows access points to download operating system images via HTTPS instead of the usual CAPWAP protocol, which is more efficient in some environments, such as large-scale or automated deployments.
The vulnerable devices include the Catalyst 9800-CL Wireless Controllers for cloud environments, the Catalyst 9800 Embedded Wireless Controllers for the Catalyst 9300, 9400, and 9500 series, other models of the Catalyst 9800 series, and the built-in wireless controller on certain Catalyst Access Points. Devices that are not affected include Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki products, Cisco NX-OS, and Cisco AireOS-based controllers.
Install updates immediately
Cisco has released security updates. Administrators are advised to install these as soon as possible. They can use Cisco Software Checker to determine which specific software version resolves the vulnerability on a particular device.
Although there are no temporary solutions or mitigations for CVE-2025-20188, disabling the relevant download function provides effective protection. Cisco states that there are currently no reports of active attacks. The company believes that, given the severity of the issue, it is likely that attackers will quickly seek out vulnerable systems.
Also read: Cisco and ServiceNow expand partnership to better secure AI