Cisco has rolled out software program patches to deal with a extreme safety vulnerability, tracked as CVE-2025-20188, in its IOS XE Wi-fi Controller software program. The flaw, which has been assigned the best potential CVSS rating of 10.0, might permit unauthenticated distant attackers to achieve full root entry on affected methods.
The problem stems from a hard-coded JSON Internet Token (JWT) embedded throughout the IOS XE Wi-fi Controller, which may be exploited by means of particularly crafted HTTPS requests despatched to the Entry Level (AP) picture obtain interface. If profitable, this exploit might allow attackers to add malicious recordsdata, conduct path traversal assaults, and execute arbitrary instructions with root-level privileges.
“This vulnerability is because of the presence of a hard-coded JSON Internet Token (JWT) on an affected system,” Cisco acknowledged in its security advisory revealed on Might 7, 2025. “A profitable exploit might permit the attacker to add recordsdata, carry out path traversal, and execute arbitrary instructions with root privileges.”
Circumstances for Exploitation with CVE-2025-20188

The important vulnerability impacts solely these methods the place the Out-of-Band AP Picture Obtain function is enabled. Luckily, this function is disabled by default within the IOS XE Wi-fi Controller configuration. Nevertheless, if directors have enabled this performance, methods are uncovered to this extreme risk.
Network administrators can decide if this susceptible function is lively by operating the command:
arduino
CopyEdit
present running-config | embrace ap improve
If the output consists of an improve technique to HTTPS, the system is in danger, and rapid motion is required.
Affected Cisco Products
The flaw impacts several Cisco IOS XE Wireless Controller devices, provided they are running vulnerable software versions and have the Out-of-Band AP Image Download feature enabled:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controllers for the 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst Access Points
Cisco clarified that devices not functioning as Wireless LAN Controllers (WLCs), as well as products running IOS, IOS XR, Meraki software program, NX-OS, and AireOS, should not affected by CVE-2025-20188.
No Workarounds, Solely Fixes
Not like some security points that may be briefly mitigated with configuration tweaks, CVE-2025-20188 doesn’t have any viable workarounds. That stated, directors can disable the Out-of-Band AP Picture Obtain function as a short lived mitigation measure. This forces the system to revert to the default CAPWAP technique for AP picture downloads, which is unaffected by the flaw.
Nevertheless, Cisco cautions that disabling this function may need unintended penalties in some environments. “Prospects shouldn’t deploy any workarounds or mitigations earlier than first evaluating the applicability to their very own setting and any affect to such setting,” the corporate famous.
Software program Updates Now Obtainable
Cisco has launched free software program updates that resolve the vulnerability. These patches can be found by means of the corporate’s commonplace replace channels for purchasers with legitimate service contracts and software program licenses.
Customers are suggested to verify that their units have ample reminiscence and are suitable with the brand new software program variations earlier than continuing with the improve. The corporate emphasizes that security fixes don’t grant entry to further options or new software program licenses—prospects will need to have acceptable entitlements for any upgrades they obtain.
For purchasers uncertain about their licensing standing or find out how to receive the right software program repair, Cisco recommends visiting the Cisco Assist and Downloads portal or contacting the Cisco Technical Help Middle (TAC).
Conclusion
The speedy identification and patching of this important flaw—stemming from a hard-coded JWT within the IOS XE Wi-fi Controller—emphasizes the continued significance of proactive community protection, particularly in methods with excessive privilege access.
Cisco urges directors to promptly apply out there fixes, disable the susceptible function the place possible, and frequently seek the advice of the total set of advisories to make sure complete safety.
Associated
Media Disclaimer: This report relies on inner and exterior analysis obtained by means of varied means. The data supplied is for reference functions solely, and customers bear full duty for his or her reliance on it. The Cyber Express assumes no legal responsibility for the accuracy or penalties of utilizing this info.