Cisco has disclosed a essential safety vulnerability in its IOS XE Wi-fi LAN Controllers that would enable unauthorized attackers to achieve full management of affected gadgets.
The flaw, assigned the utmost severity ranking of 10.0, permits unauthenticated distant attackers to add arbitrary information, traverse directories, and execute instructions with root privileges on affected methods.
The vulnerability, tracked as CVE-2025-20188, resides within the Out-of-Band Entry Level (AP) Picture Obtain characteristic of Cisco IOS XE Software program for Wi-fi LAN Controllers (WLCs).
In line with Cisco’s safety advisory launched on Could 7, the flaw stems from “the presence of a hard-coded JSON Net Token (JWT) on an affected system”.
Safety researchers word that attackers can exploit this vulnerability by sending specifically crafted HTTPS requests to the AP picture obtain interface.
When efficiently exploited, attackers achieve the power to add malicious information to arbitrary areas and execute instructions with the best system privileges.
“This vulnerability represents a big danger to enterprise networks utilizing affected Cisco wi-fi controllers,” stated a cybersecurity skilled aware of the difficulty. “The mixture of distant entry, no authentication necessities, and root-level command execution makes this flaw notably harmful.”
Affected Merchandise
The vulnerability impacts a number of Cisco merchandise operating weak variations of IOS XE Software program with the Out-of-Band AP Picture Obtain characteristic enabled:
Catalyst 9800-CL Wi-fi Controllers for Cloud
Catalyst 9800 Embedded Wi-fi Controller for Catalyst 9300, 9400, and 9500 Sequence Switches
Catalyst 9800 Sequence Wi-fi Controllers
Embedded Wi-fi Controller on Catalyst APs
Directors can decide if their gadgets are weak by utilizing the command “present running-config | embody ap improve” – if it returns “ap improve methodology https,” the system is affected.
Cisco has launched software program updates that tackle this vulnerability, and clients are strongly urged to improve instantly. The corporate states there aren’t any workarounds for this concern, however as a brief mitigation, directors can disable the weak characteristic.
“Organizations ought to prioritize patching this vulnerability instantly,” stated one other safety analyst. “In environments the place quick patching isn’t attainable, disabling the Out-of-Band AP Picture Obtain characteristic is essential till updates will be utilized.”
Safety bulletin info signifies the vulnerability was found internally by X.B. of the Cisco Superior Safety Initiatives Group throughout safety testing. In line with Cisco’s advisory, there may be at present no proof of energetic exploitation within the wild.
This vulnerability disclosure comes as a part of Cisco’s Could 2025 Semiannual IOS and IOS XE Software program Safety Advisory Bundled Publication, which incorporates fixes for a number of safety points in Cisco merchandise.
