cbcvebase.
CVE-2025-20188
published 2025-05-07

CVE-2025-20188: A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE…

PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.89%
96.8th percentile
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.

Affected

15 ranges
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe_wireless_controller

Detection & IOCsextracted from sources · hover to see the quote

path/ap_spec_rec/upload/
port8443
othernotfound
path/tmp/nginx_jwt_key
cookiejwt={{ generate_jwt(payload,"HS256",secret) }}
othercdb_token_request_id1
pathusr/binos/openresty/nginx/html/
otherfofa-query: '"IOS-Self-Signed-Certificate" && port="8443"'
othershodan-query: 'http.html_hash:1076109428 ssl.cert.issuer.cn:"IOS-Self-Signed-Certificate" port:8443'
processpvp.sh
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco IOS XE WLC Arbitrary File Upload Attempt (CVE-2025-20188)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload/"; fast_pattern; http.cookie; content:"jwt="; content:"."; base64_decode:offset 0,relative; base64_data; content:"cdb_token_request_id1"; reference:url,horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/; reference:cve,2025-20188; classtype:attempted-admin; sid:2062916; rev:1; metadata:affected_product Cisco_IOS, attack_target Networking_Equipment, created_at 2025_06_12, cve CVE_2025_20188, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2025_06_12; target:dest_ip;)
  • Detect exploit attempts by looking for HTTP POST requests to /upload/ (or specifically /ap_spec_rec/upload/) on port 8443 containing a Cookie header with 'jwt=' where the base64-decoded JWT body contains the string 'cdb_token_request_id1'.
  • The exploit uses HS256-signed JWTs with the hardcoded secret 'notfound'. Inspect JWT tokens on the /ap_spec_rec/upload/ endpoint for HS256 algorithm and validate against this secret to identify exploitation attempts.
  • Monitor for path traversal sequences (e.g., '../../') in multipart form-data filename fields on POST requests to /ap_spec_rec/upload/, which are used to drop files outside the intended upload directory.
  • Alert on HTTP responses from port 8443 containing the 'openresty' server header in combination with a 200 status code following a POST to /ap_spec_rec/upload/, which indicates a successful file upload.
  • Identify vulnerable/exposed devices using Shodan query for IOS-Self-Signed-Certificate on port 8443 with the specific HTML hash.
  • Monitor for unexpected writes to 'usr/binos/openresty/nginx/html/' or modifications to config files consumed by the pvp.sh service, which can indicate post-upload RCE escalation.
  • ·CVE-2025-20188 is only exploitable when the 'Out-of-Band AP Image Download' feature is enabled on the device. This feature is NOT enabled by default.
  • ·The hardcoded JWT fallback secret ('notfound') is only triggered when the file '/tmp/nginx_jwt_key' is absent on the device. If this file exists with a proper secret, the fallback is not used.
  • ·The backend vulnerable component is OpenResty (Lua + Nginx). Detection rules targeting the 'openresty' server header are specific to this stack.
  • ·Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki products, Cisco NX-OS, and Cisco AireOS-based WLCs are NOT affected. Detection should be scoped to IOS XE WLC devices only.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.