Cisco has fastened a most severity flaw in IOS XE Software program for Wi-fi LAN Controllers by a hard-coded JSON Internet Token (JWT) that enables an unauthenticated distant attacker to take over units.
This token is supposed to authenticate requests to a function referred to as ‘Out-of-Band AP Picture Obtain.’ Because it’s hard-coded, anybody can impersonate a certified person with out credentials.
The vulnerability is tracked as CVE-2025-20188 and has a most 10.0 CVSS rating, permitting risk actors to totally compromise units in accordance with the seller.
“An attacker may exploit this vulnerability by sending crafted HTTPS requests to the AP picture obtain interface,” reads Cisco’s bulletin.
“A profitable exploit may permit the attacker to add recordsdata, carry out path traversal, and execute arbitrary instructions with root privileges.”
It’s famous that CVE-2025-20188 is simply exploitable when the ‘Out-of-Band AP Picture Obtain’ function is enabled on the gadget, which is not enabled by default.
The ‘Out-of-Band AP Picture Obtain’ function permits entry factors (APs) to obtain OS photos through HTTPS slightly than over the CAPWAP protocol, permitting a extra versatile and direct technique to get firmware onto APs.
That stated, though it is disabled by default, some large-scale or automated enterprise deployments could allow it for quicker provisioning or restoration of APs.
The next units are weak to assaults if the exploitation necessities are met:
- Catalyst 9800-CL Wi-fi Controllers for Cloud
- Catalyst 9800 Embedded Wi-fi Controller for Catalyst 9300, 9400, and 9500 Collection Switches
- Catalyst 9800 Collection Wi-fi Controllers
- Embedded Wi-fi Controller on Catalyst APs
However, merchandise confirmed to not be impacted by the hard-coded JWT subject are: Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki merchandise, Cisco NX-OS, and Cisco AireOS-based WLCs.
Cisco has launched safety updates to deal with the essential vulnerability, so system directors are suggested to use them as quickly as attainable.
Customers can decide the precise model that fixes the flaw for his or her gadget utilizing the Cisco Software program Checker for his or her particular gadget mannequin.
Though there aren’t any mitigations or workarounds for CVE-2025-20188, disabling the ‘Out-of-Band AP Picture Obtain’ function is a strong protection.
At the moment, Cisco is unaware of any circumstances of lively exploitation for CVE-2025-20188. Nonetheless, given the severity of the difficulty, risk actors are prone to begin scanning for uncovered weak endpoints instantly.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how one can defend towards them.
