Governance & Risk Management
,
Patch Management
,
Vulnerability Assessment & Penetration Testing (VA/PT)
Researchers in Proof of Concept Show Exploit Potential for Widely Used Software
Technical details for a recently patched maximum-severity vulnerability in Cisco IOS XE reveal how hackers can enable remote code execution if the flaw is exploited.
See Also: Accelerating defense missions with a global data mesh
The vulnerability, tracked as CVE-2025-20188, is an arbitrary file upload triggered by a hardcoded JSON Web Token.
Researchers at Horizon3 on Friday published an in-depth technical analysis of the vulnerability that affects Cisco IOS XE Wireless LAN Controller software version 17.12.03 and earlier. While the research stops short of providing a ready-to-run remote code execution exploit, it outlines a step-by-step vulnerability chain that skilled threat actors or even generative AI models could use to achieve full system compromise.
At the heart of the flaw is an unauthenticated arbitrary file upload vulnerability caused by a hard-coded JSON Web Token secret within the software. According to Cisco’s advisory, a remote attacker can exploit the bug by sending specially crafted HTTPS requests to the Out-of-Band AP Image Download feature, enabling file uploads, path traversal and command execution with root privileges.
Cisco’s Catalyst 9800 wireless controllers and embedded wireless solutions are widely used by enterprises, government agencies, universities and large public venues across the globe to manage and secure wireless networks at scale.
The following models are at risk:
- Catalyst 9800-CL Wireless Controllers for Cloud;
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400 and 9500 series switches;
- Catalyst 9800 Series Wireless Controllers;
- Embedded Wireless Controller on Catalyst Aps.
Horizon3’s deep-dive reverse-engineering effort compared a vulnerable ISO image (17.12.03) with a patched version (17.12.04). They found that modified Lua scripts ewlc_jwt_verify.lua and ewlc_jwt_upload_files.lua are responsible for validating JWTs and handling uploads, respectively. These scripts are invoked on endpoints such as /aparchive/upload and /ap_spec_rec/upload/, where attackers could exploit path traversal to place files in sensitive directories like /usr/binos/openresty/nginx/html.
Using this upload method, researchers demonstrated that a malicious file could be written to a web-accessible location, effectively allowing for the hosting and execution of arbitrary code. In their testing, enabling the Out-of-Band AP Image Download service on port 8443 was necessary for full exploitability, though some installations had the service open by default.
The team discovered an internal process management script, pvp.sh, that monitors file system changes using inotifywait. By overwriting its configuration file and uploading a trigger file, they could force the system to execute attacker-specified commands, completing the RCE chain.
While Cisco issued patches to address the vulnerability, it also recommends disabling the Out-of-Band AP Image Download feature as a temporary mitigation. This shifts AP image upgrades to use the secure CAPWAP method instead. Cisco stressed that there are no workarounds beyond upgrading or disabling the vulnerable feature.
Researchers warn that the level of technical detail released, though not weaponized, lowers the bar for developing functional exploits.