Technical details about a serious vulnerability in Cisco IOS XE WLC for uploading files, designated CVE-2025-20188, have been made public. This brings a working exploit closer, but also its prevention.
The publication by Horizon3 researchers does not include a ready-made RCE exploit script, according to BleepingComputer. However, it does provide enough information for a skilled attacker, or even a language model, to fill in the missing pieces.
Given the immediate risk of abuse, Cisco advises affected users to take action to secure their systems.
The Cisco IOS XE WLC vulnerability
Cisco disclosed the critical vulnerability in IOS XE software for Wireless LAN Controllers on May 7, 2025. It allows an attacker to take over devices.
According to the vendor, this is caused by a hardcoded JSON Web Token (JWT). This allows an unauthenticated, remote attacker to upload files, perform path manipulation, and execute arbitrary commands with root privileges.
The security bulletin stated that CVE-2025-20188 is only dangerous when the ‘Out-of-Band AP Image Download’ feature is enabled on the device. In that case, the following models are at risk:
- Catalyst 9800-CL Wireless Controllers for Cloud.
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 series switches.
- Catalyst 9800 Series Wireless Controllers.
- Embedded Wireless Controller on Catalyst APs.
Horizon3’s attack analysis
Horizon3’s analysis shows that the vulnerability exists due to a hardcoded JWT fallback secret (‘notfound’). This is used by backend Lua scripts at upload endpoints, combined with insufficient path validation.
The backend uses OpenResty (Lua + Nginx) scripts to validate JWT tokens and handle file uploads. If the file ‘/tmp/nginx_jwt_key’ is missing, the script uses ‘notfound’ as the secret key to verify JWTs.
This allows attackers to generate valid tokens without knowing any secret information, simply by using ‘HS256’ and ‘notfound’.
The Horizon3 example sends an HTTP POST request with a file upload to the ‘/ap_spec_rec/upload/’ endpoint via port 8443. It uses path manipulation in the file name to place an innocent file (foo.txt) outside the intended directory.
To escalate the file upload vulnerability to remote code execution, an attacker can overwrite configuration files loaded by backend services, place web shells, or abuse monitored files to perform unauthorized actions.
The Horizon3 example exploits the ‘pvp.sh’ service that monitors specific directories, overwrites the configuration files it relies on, and triggers a reload action to execute commands from the attacker.
Given the increased risk of exploitation, users are advised to upgrade to a patched version (17.12.04 or newer) as soon as possible.
As a temporary workaround, administrators can disable the Out-of-Band AP Image Download feature to deactivate the vulnerable service.
Also read: Cisco closes serious security vulnerability in Wireless LAN Controllers