CVE-2025-20188
published 2025-05-07CVE-2025-20188: A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE…
PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.89%
96.8th percentile
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.
This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe_wireless_controller | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookiejwt={{ generate_jwt(payload,"HS256",secret) }}
othercdb_token_request_id1
pathusr/binos/openresty/nginx/html/
otherfofa-query: '"IOS-Self-Signed-Certificate" && port="8443"'
othershodan-query: 'http.html_hash:1076109428 ssl.cert.issuer.cn:"IOS-Self-Signed-Certificate" port:8443'
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco IOS XE WLC Arbitrary File Upload Attempt (CVE-2025-20188)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload/"; fast_pattern; http.cookie; content:"jwt="; content:"."; base64_decode:offset 0,relative; base64_data; content:"cdb_token_request_id1"; reference:url,horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/; reference:cve,2025-20188; classtype:attempted-admin; sid:2062916; rev:1; metadata:affected_product Cisco_IOS, attack_target Networking_Equipment, created_at 2025_06_12, cve CVE_2025_20188, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2025_06_12; target:dest_ip;)
- →Detect exploit attempts by looking for HTTP POST requests to /upload/ (or specifically /ap_spec_rec/upload/) on port 8443 containing a Cookie header with 'jwt=' where the base64-decoded JWT body contains the string 'cdb_token_request_id1'.
- →The exploit uses HS256-signed JWTs with the hardcoded secret 'notfound'. Inspect JWT tokens on the /ap_spec_rec/upload/ endpoint for HS256 algorithm and validate against this secret to identify exploitation attempts. ↗
- →Monitor for path traversal sequences (e.g., '../../') in multipart form-data filename fields on POST requests to /ap_spec_rec/upload/, which are used to drop files outside the intended upload directory.
- →Alert on HTTP responses from port 8443 containing the 'openresty' server header in combination with a 200 status code following a POST to /ap_spec_rec/upload/, which indicates a successful file upload.
- →Identify vulnerable/exposed devices using Shodan query for IOS-Self-Signed-Certificate on port 8443 with the specific HTML hash.
- →Monitor for unexpected writes to 'usr/binos/openresty/nginx/html/' or modifications to config files consumed by the pvp.sh service, which can indicate post-upload RCE escalation. ↗
- ·CVE-2025-20188 is only exploitable when the 'Out-of-Band AP Image Download' feature is enabled on the device. This feature is NOT enabled by default. ↗
- ·The hardcoded JWT fallback secret ('notfound') is only triggered when the file '/tmp/nginx_jwt_key' is absent on the device. If this file exists with a proper secret, the fallback is not used. ↗
- ·The backend vulnerable component is OpenResty (Lua + Nginx). Detection rules targeting the 'openresty' server header are specific to this stack. ↗
- ·Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki products, Cisco NX-OS, and Cisco AireOS-based WLCs are NOT affected. Detection should be scoped to IOS XE WLC devices only. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-489q-h7v6-2626: A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow a
ghsa_unreviewed·2025-05-07
CVE-2025-20188 [CRITICAL] CWE-798 GHSA-489q-h7v6-2626: A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow a
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.
This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default.
VulnCheck
Cisco ios_xe Use of Hard-coded Credentials
vulncheck·2025·CVSS 10.0
CVE-2025-20188 [CRITICAL] Cisco ios_xe Use of Hard-coded Credentials
Cisco ios_xe Use of Hard-coded Credentials
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.
This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Affected: Cisco ios_xe
Required Action: Apply remediations or mitigations per vendor instructions or
Cisco
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
vendor_cisco·2025-05-07·CVSS 10.0
CVE-2025-20188 [CRITICAL] CWE-798 Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.
This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Cisco has released software updates that address this vulnerabilit
Cisco
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
vendor_cisco·CVSS 3.1
CVE-2025-20188 Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
CVE-2025-20188: Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. Cisco has released software updates that address this
Suricata
ET EXPLOIT Cisco IOS XE WLC Arbitrary File Upload Attempt (CVE-2025-20188)
suricata·2025-06-12·CVSS 10.0
CVE-2025-20188 [CRITICAL] ET EXPLOIT Cisco IOS XE WLC Arbitrary File Upload Attempt (CVE-2025-20188)
ET EXPLOIT Cisco IOS XE WLC Arbitrary File Upload Attempt (CVE-2025-20188)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco IOS XE WLC Arbitrary File Upload Attempt (CVE-2025-20188)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload/"; fast_pattern; http.cookie; content:"jwt="; content:"."; base64_decode:offset 0,relative; base64_data; content:"cdb_token_request_id1"; reference:url,horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/; reference:cve,2025-20188; classtype:attempted-admin; sid:2062916; rev:1; metadata:affected_product Cisco_IOS, attack_target Networking_Equipment, created_at 2025_06_12, cve CVE_2025_20188, deployment Perimeter, deployment Internal, performance
Nuclei
Cisco IOS XE WLC - Arbitrary File Upload
nuclei·CVSS 10.0
CVE-2025-20188 [CRITICAL] Cisco IOS XE WLC - Arbitrary File Upload
Cisco IOS XE WLC - Arbitrary File Upload
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Template:
id: CVE-2025-20188
info:
name: Cisco IOS XE WLC - Arbitrary File Upload
author: iamnoooob,pdresearch,DhiyaneshDK
severity: critical
description: |
A vulnera
Bleepingcomputer
Exploit details for max severity Cisco IOS XE flaw now public
blogs_bleepingcomputer·2025-05-31·CVSS 10.0
CVE-2025-20188 [CRITICAL] Exploit details for max severity Cisco IOS XE flaw now public
## Exploit details for max severity Cisco IOS XE flaw now public
## Bill Toulas
Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit.
The write-up by Horizon3 researchers does not contain a 'ready-to-run' proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces.
Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users take action now to protect their endpoints.
## The Cisco IOS XE WLC flaw
Cisco disclosed the critical flaw in IOS XE Software for Wireless LAN Controllers on May 7, 2025, which allows an attacker to
Bleepingcomputer
Cisco fixes max severity IOS XE flaw letting attackers hijack devices
blogs_bleepingcomputer·2025-05-08·CVSS 10.0
[CRITICAL] Cisco fixes max severity IOS XE flaw letting attackers hijack devices
## Cisco fixes max severity IOS XE flaw letting attackers hijack devices
## Bill Toulas
Cisco has fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices.
This token is meant to authenticate requests to a feature called 'Out-of-Band AP Image Download.' Since it's hard-coded, anyone can impersonate an authorized user without credentials.
The vulnerability is tracked as CVE-2025-20188 and has a maximum 10.0 CVSS score, allowing threat actors to fully compromise devices according to the vendor.
"An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface," reads Cisco's bulletin .
"A successful exploit could
2025-05-07
Published
Exploited in the wild