
Cisco has issued an urgent security update to address a critical vulnerability in wireless controllers running IOS XE. The flaw, designated CVE-2025-20188, has been assigned the highest possible CVSS score of 10.0.
The root cause of the vulnerability lies in the presence of a hardcoded JSON Web Token (JWT) embedded within the firmware of affected devices. This flaw enables a remote, unauthenticated attacker to send specially crafted HTTPS requests to the access point (AP) image download interface, allowing the upload of arbitrary files. Furthermore, the vulnerability facilitates path traversal, enabling the execution of arbitrary commands with root-level privileges.
Exploitation, however, is contingent upon the activation of the Out-of-Band AP Image Download feature, which is disabled by default. When this feature remains inactive, image downloads occur via the CAPWAP protocol, effectively mitigating the vulnerability.
The following products are considered at risk, provided they are running vulnerable firmware and have the aforementioned feature enabled:
– Catalyst 9800-CL Wireless Controllers for cloud environments
– Embedded wireless controllers within Catalyst 9300, 9400, and 9500 series switches
– Catalyst 9800 Series Wireless Controllers
– Embedded Wireless Controllers in Catalyst access points
Cisco strongly urges all users to upgrade to the patched firmware version without delay. For those unable to update immediately, a temporary mitigation is available: disable the Out-of-Band AP Image Download feature.
According to Cisco, there have been no reports of exploitation outside controlled testing environments. The vulnerability was identified during an internal security audit by X.B., a member of Cisco’s Advanced Security Initiatives Group (ASIG), and was promptly disclosed to the development team.