Secure Cyber Vulnerability Management

09/05/2025
Qualys-Threat-Protect

Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability (CVE-2025-20188)

by Deepanshu Jha

Cisco released a security advisory to address a vulnerability in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to an affected system. Tracked as CVE-2025-20188, the vulnerability has a critical severity rating with a CVSS score of 10.

Cisco IOS XE is a version of the Cisco Internetwork Operating System (IOS) designed for next-generation Cisco platforms. It runs as a daemon on top of a Linux kernel, offering increased modularity, feature-rich functionality, and advanced capabilities compared to the traditional monolithic IOS.

Vulnerability Description

The vulnerability exists in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability originates from the presence of a hard-coded JSON Web Token (JWT) on an affected system. For successful exploitation of the vulnerability, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. Upon successful exploitation, an attacker could upload files, perform path traversal, and execute arbitrary commands with root privileges.

Affected Versions

This vulnerability affects the following Cisco products running a vulnerable release of Cisco IOS XE Software for WLCs and have the Out-of-Band AP Image Download feature enabled:

  • Catalyst 9800-CL Wireless Controllers for Cloud
  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
  • Catalyst 9800 Series Wireless Controllers
  • Embedded Wireless Controller on Catalyst APs

Mitigation

Cisco recommends that users to upgrade to the latest version to address the vulnerability.

For more information, please refer to the Cisco Security Advisory (cisco-sa-wlc-file-uplpd-rHZG9UfC).

Workaround 

Administrators can disable the Out-of-Band AP Image Download feature. With this feature disabled, AP image download will use the CAPWAP method for the AP image update feature, which does not impact the AP client state.

Qualys Detection

Qualys customers can scan their devices with QID 317627 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC

Comments are closed.

You may also like