top of page

Subscribe to our newsletter

Critical Vulnerability Analysis in Cisco IOS XE for WLCs: CVE-2025-20188 Report

  • Rescana
  • May 8
  • 2 min read
Image for post about Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC

Detailed Analysis Report on Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC

Overview

The Cisco Security Advisory ID cisco-sa-wlc-file-uplpd-rHZG9UfC, published on May 7, 2025, addresses a critical vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). This vulnerability is identified by CVE-2025-20188 and has a CVSS score of 10.0, indicating its critical nature.

Vulnerability Details

The vulnerability allows an unauthenticated, remote attacker to upload arbitrary files to an affected system. This is due to the presence of a hard-coded JSON Web Token (JWT) on the system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges.

Affected Products

The vulnerability affects the following: - Catalyst 9800-CL Wireless Controllers for Cloud - Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches - Catalyst 9800 Series Wireless Controllers - Embedded Wireless Controller on Catalyst APs

Non-Affected Products

  • IOS Software
  • IOS XE Software on devices not functioning as WLCs
  • IOS XR Software
  • Meraki products
  • NX-OS Software
  • WLC AireOS Software

Exploitation Conditions

The Out-of-Band AP Image Download feature must be enabled for the vulnerability to be exploited. This feature is not enabled by default.

Mitigation Strategies

There are no workarounds available to address this vulnerability directly. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method, which does not impact the AP client state. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed.

Fixed Software

Cisco has released free software updates to address this vulnerability. Customers are advised to upgrade to the fixed release as soon as possible. The fixed software can be obtained through the usual update channels.

Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.

Discovery and Reporting

The vulnerability was discovered by X.B. of the Cisco Advanced Security Initiatives Group (ASIG) during internal security testing.

References and Additional Resources


bottom of page