Skip to content

Cisco recently disclosed a critical vulnerability in their IOS XE Software for Wireless LAN Controllers (WLC), which has come to the fore again after public release of technical exploit details. It is tracked as CVE-2025-20188 and allows for arbitrary file upload, potentially leading to complete system compromise. If you have an affected device, treat this as a high-priority issue. 

The vulnerability was initially disclosed by Cisco on 7 May 2025, with a CVSS severity score of 10.0 (the highest level of risk), but security firm Horizon3 has published an in-depth analysis, including a working exploit path, significantly increasing the likelihood of real-world attacks. 

Central to the vulnerability is how the IOS XE WLC software processes JSON Web Tokens (JWTs).   

It was established that backend Lua scripts used for upload endpoints rely on a hardcoded JWT secret (“notfound”) when verifying tokens. Attackers can exploit this by generating valid tokens using the HS256 algorithm with the known fallback secret, bypassing authentication.  Once authenticated, attackers could send a HTTP POST request to port 8443, uploading files to unintended locations via path traversal techniques.  

Exploitation can be seen in many forms, including: 

  • Overwriting critical configuration files 
  • Installing persistent web shells 
  • Triggering unauthorised actions via monitored system files 

Such activities can result in full remote code execution, allowing attackers to take control of the device, maintain persistence, and potentially pivot to other parts of the network. 

The vulnerability specifically affects systems running Cisco IOS XE Software for Wireless LAN Controllers. Organisations with public-facing or internet-exposed management interfaces are particularly at risk, especially if patches have not yet been applied. 

Preventive Measures 

To help mitigate the risks, consider the following:

  1. Immediately apply the patches that Cisco has released.
  2. Limit external access to WLC management interfaces. Use network segmentation and firewalls to restrict exposure. 
  3. Continue to monitor for suspicious activity and consider using an Intrusion Detection System (IDS) to alert on anomalous behaviour. 
  4. Take the opportunity to quality check administrative accounts to ensure they use strong, unique passwords, and disable unused accounts.  

Conclusion 

While this vulnerability is technical in nature, the steps to defend against it are clear and should be acted upon, with Cisco and other experts highlighting the risks being a trigger to action.