Critical Cisco IOS XE WLC Vulnerability: What You Need to Know and How to Respond 

02.06.25

Threat Intelligence Alerts

Cisco recently disclosed a critical vulnerability in their IOS XE Software for Wireless LAN Controllers (WLC), which has come to the fore again after public release of technical exploit details. It is tracked as CVE-2025-20188 and allows for arbitrary file upload, potentially leading to complete system compromise. If you have an affected device, treat this as a high-priority issue. 

The vulnerability was initially disclosed by Cisco on 7 May 2025, with a CVSS severity score of 10.0 (the highest level of risk), but security firm Horizon3 has published an in-depth analysis, including a working exploit path, significantly increasing the likelihood of real-world attacks. 

It was established that backend Lua scripts used for upload endpoints rely on a hardcoded JWT secret (“notfound”) when verifying tokens. Attackers can exploit this by generating valid tokens using the HS256 algorithm with the known fallback secret, bypassing authentication.  Once authenticated, attackers could send a HTTP POST request to port 8443, uploading files to unintended locations via path traversal techniques.  

Such activities can result in full remote code execution, allowing attackers to take control of the device, maintain persistence, and potentially pivot to other parts of the network. 

The vulnerability specifically affects systems running Cisco IOS XE Software for Wireless LAN Controllers. Organisations with public-facing or internet-exposed management interfaces are particularly at risk, especially if patches have not yet been applied. 

To help mitigate the risks, consider the following:

While this vulnerability is technical in nature, the steps to defend against it are clear and should be acted upon, with Cisco and other experts highlighting the risks being a trigger to action.