Cisco has fastened a most severity flaw in IOS XE Software program for Wi-fi LAN Controllers by a hard-coded JSON Net Token (JWT) that permits an unauthenticated distant attacker to take over units.
This token is supposed to authenticate requests to a function referred to as ‘Out-of-Band AP Picture Obtain.’ Because it’s hard-coded, anybody can impersonate a certified consumer with out credentials.
The vulnerability is tracked as CVE-2025-20188 and has a most 10.0 CVSS rating, permitting risk actors to totally compromise units in keeping with the seller.
“An attacker might exploit this vulnerability by sending crafted HTTPS requests to the AP picture obtain interface,” reads Cisco’s bulletin.
“A profitable exploit might permit the attacker to add information, carry out path traversal, and execute arbitrary instructions with root privileges.”
It’s famous that CVE-2025-20188 is barely exploitable when the ‘Out-of-Band AP Picture Obtain’ function is enabled on the gadget, which is not enabled by default.
The ‘Out-of-Band AP Picture Obtain’ function permits entry factors (APs) to obtain OS photographs by way of HTTPS slightly than over the CAPWAP protocol, permitting a extra versatile and direct strategy to get firmware onto APs.
That stated, though it is disabled by default, some large-scale or automated enterprise deployments might allow it for quicker provisioning or restoration of APs.
The next units are weak to assaults if the exploitation necessities are met:
- Catalyst 9800-CL Wi-fi Controllers for Cloud
- Catalyst 9800 Embedded Wi-fi Controller for Catalyst 9300, 9400, and 9500 Sequence Switches
- Catalyst 9800 Sequence Wi-fi Controllers
- Embedded Wi-fi Controller on Catalyst APs
However, merchandise confirmed to not be impacted by the hard-coded JWT situation are: Cisco IOS (non-XE), Cisco IOS XR, Cisco Meraki merchandise, Cisco NX-OS, and Cisco AireOS-based WLCs.
Cisco has launched security updates to handle the crucial vulnerability, so system directors are suggested to use them as quickly as attainable.
Customers can decide the precise model that fixes the flaw for his or her gadget utilizing the Cisco Software program Checker for his or her particular gadget mannequin.
Though there are not any mitigations or workarounds for CVE-2025-20188, disabling the ‘Out-of-Band AP Picture Obtain’ function is a strong protection.
Right now, Cisco is unaware of any circumstances of lively exploitation for CVE-2025-20188. Nevertheless, given the severity of the difficulty, risk actors are prone to begin scanning for uncovered weak endpoints instantly.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend towards them.
