Technical particulars a few maximum-severity Cisco IOS XE WLC arbitrary file add flaw tracked as CVE-2025-20188 have been made publicly out there, bringing us nearer to a working exploit.
The write-up by Horizon3 researchers doesn’t include a ‘ready-to-run’ proof of idea RCE exploit script, however it does present sufficient data for a talented attacker and even an LLM to fill within the lacking items.
Given the instant danger of weaponization and widespread use in assaults, it is suggested that impacted customers take motion now to guard their endpoints.
The Cisco IOS XE WLC flaw
Cisco disclosed the essential flaw in IOS XE Software program for Wi-fi LAN Controllers on Might 7, 2025, which permits an attacker to take over gadgets.
The seller mentioned it’s attributable to a hard-coded JSON Internet Token (JWT) that enables an unauthenticated, distant attacker to add recordsdata, carry out path traversal, and execute arbitrary instructions with root privileges.
The bulletin famous that CVE-2025-20188 is simply harmful when the ‘Out-of-Band AP Picture Obtain’ function is enabled on the machine, wherein case, the next machine fashions are in danger:
- Catalyst 9800-CL Wi-fi Controllers for Cloud
- Catalyst 9800 Embedded Wi-fi Controller for Catalyst 9300, 9400, and 9500 Collection Switches
- Catalyst 9800 Collection Wi-fi Controllers
- Embedded Wi-fi Controller on Catalyst APs
Horizon3’s assault instance
Horizon3’s evaluation reveals that the flaw exists because of a hardcoded JWT fallback secret (“notfound”) utilized by the backend Lua scripts for add endpoints mixed with inadequate path validation.
Particularly, the backend makes use of OpenResty (Lua + Nginx) scripts to validate JWT tokens and deal with file uploads, but when the ‘/tmp/nginx_jwt_key’ file is lacking, the script falls again to the string “notfound” as the key to confirm JWTs.
This principally permits attackers to generate legitimate tokens with out realizing any secrets and techniques by merely utilizing ‘HS256’ and ‘notfound.’
Horizon3’s instance sends an HTTP POST request with a file add to the ‘/ap_spec_rec/add/’ endpoint by way of port 8443 and makes use of filename path traversal to drop an innocuous file (foo.txt) exterior the meant listing.
.jpg "Exploit particulars for max severity Cisco IOS XE flaw now public 1")
Supply: Horizon3
To escalate the file add flaw to distant code execution, the attacker may overwrite configuration recordsdata loaded by backend providers, drop net shells, or abuse monitored recordsdata to set off unauthorized actions.
Horizon3’s instance abuses the ‘pvp.sh’ service that displays particular directories, overwrites the config recordsdata it will depend on, and triggers a reload even to run attacker instructions.
Given the elevated danger of exploitation, customers are really useful to improve to a patched model (17.12.04 or newer) as quickly as potential.
As a brief workaround, admins can flip off the Out-of-Band AP Picture Obtain function to shut the weak service.
Guide patching is outdated. It is gradual, error-prone, and difficult to scale.
Be a part of Kandji + Tines on June 4 to see why previous strategies fall quick. See real-world examples of how fashionable groups use automation to patch quicker, minimize danger, keep compliant, and skip the advanced scripts.
