Published: 9 May 2025
Severity: Critical (CVSS 9.8)
Exploitation: Remote, unauthenticated
Cisco has released a security advisory addressing a critical vulnerability in IOS XE Wireless Controller (WLC) Software, specifically impacting the Out-of-Band AP Image Download feature. This vulnerability allows unauthenticated attackers to upload arbitrary files, perform path traversal, and execute root-level commands, potentially leading to full system compromise.
The flaw affects environments using Cisco Catalyst 9800 Series controllers where the vulnerable feature has been manually enabled. Immediate action is advised.
Impacted Products
The following Cisco WLC products are vulnerable if the following command is active: ap upgrade method https
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded WLC for Catalyst 9300, 9400 and 9500 switches
- Catalyst 9800 Series Wireless Controllers
- Embedded WLC on Catalyst Access Points
Vulnerability Details
CVE-2025-20188
- Severity: Critical (CVSS 9.8)
- Vector: Remote, unauthenticated over HTTPS
- Description: A hard-coded JSON Web Token (JWT) allows remote attackers to upload files and execute commands as the root user via HTTPS.
- Impact: Attackers may take full control of the controller, alter configurations or firmware, and potentially move laterally through the network.
Detection
To check whether a device is vulnerable, run the following command: show running-config | include ap upgrade
If the output includes: ap upgrade method https then the vulnerable feature is enabled and should be disabled immediately.
Recommended Actions
1. Disable the Vulnerable Feature
Remove or adjust the configuration to turn off Out-of-Band AP Image Download: no ap upgrade method https
This disables Out-of-Band AP Image Download and reverts to the default CAPWAP method without impacting access point performance.
2. Apply Security Updates
Cisco has released patches for affected software versions. Use the Cisco Software Checker to verify your system and access relevant updates. Full details are available in the official Cisco advisory.
3. Restrict Interface Exposure
Limit access to WLC management interfaces. Ensure they are only reachable from trusted internal networks.
4. Monitor for Exploitation
Review system logs and monitor for unusual HTTPS activity targeting the AP upgrade path. Watch for unauthorised uploads or execution behaviour.
Exploitation Risk
At the time of publication, there is no evidence of active exploitation. However, given the severity and ease of exploitation, we recommend that all affected organisations act immediately to secure their environments.
References
- Official Cisco Advisory: Cisco IOS XE Wireless Controller Arbitrary File Upload Vulnerability
- Cisco Software Checker: https://tools.cisco.com/security/center/softwarechecker
- Cisco TAC Contact: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Summary for SOC Teams
- Severity: Critical (CVSS 9.8)
- Attack Vector: Remote, unauthenticated over HTTPS
- Exploitation: Requires Out-of-Band AP Image Download feature enabled
- Impact: Full device compromise with root privileges
- Action: Verify device configuration, disable vulnerable feature if enabled, and apply Cisco patches immediately.
Need Help?
If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.
