[ad_1]
Technical particulars a couple of maximum-severity Cisco IOS XE WLC arbitrary file add flaw tracked as CVE-2025-20188 have been made publicly out there, bringing us nearer to a working exploit.
The write-up by Horizon3 researchers doesn’t include a ‘ready-to-run’ proof of idea RCE exploit script, however it does present sufficient info for a talented attacker and even an LLM to fill within the lacking items.
Given the quick threat of weaponization and widespread use in assaults, it’s endorsed that impacted customers take motion now to guard their endpoints.
The Cisco IOS XE WLC flaw
Cisco disclosed the important flaw in IOS XE Software for Wireless LAN Controllers on May 7, 2025, which permits an attacker to take over units.
The vendor stated it’s brought on by a hard-coded JSON Web Token (JWT) that permits an unauthenticated, distant attacker to add information, carry out path traversal, and execute arbitrary instructions with root privileges.
The bulletin famous that CVE-2025-20188 is just harmful when the ‘Out-of-Band AP Image Download’ characteristic is enabled on the system, through which case, the next system fashions are in danger:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
Horizon3’s assault instance
Horizon3’s evaluation reveals that the flaw exists attributable to a hardcoded JWT fallback secret (“notfound”) utilized by the backend Lua scripts for add endpoints mixed with inadequate path validation.
Specifically, the backend makes use of OpenResty (Lua + Nginx) scripts to validate JWT tokens and deal with file uploads, but when the ‘/tmp/nginx_jwt_key’ file is lacking, the script falls again to the string “notfound” as the key to confirm JWTs.
This mainly permits attackers to generate legitimate tokens with out figuring out any secrets and techniques by merely utilizing ‘HS256’ and ‘notfound.’
Horizon3’s instance sends an HTTP POST request with a file add to the ‘/ap_spec_rec/add/’ endpoint by way of port 8443 and makes use of filename path traversal to drop an innocuous file (foo.txt) outdoors the supposed listing.
.jpg)
Source: Horizon3
To escalate the file add flaw to distant code execution, the attacker might overwrite configuration information loaded by backend companies, drop net shells, or abuse monitored information to set off unauthorized actions.
Horizon3’s instance abuses the ‘pvp.sh’ service that screens particular directories, overwrites the config information it depends upon, and triggers a reload even to run attacker instructions.
Given the elevated threat of exploitation, customers are beneficial to improve to a patched model (17.12.04 or newer) as quickly as doable.
As a short lived workaround, admins can flip off the Out-of-Band AP Image Download characteristic to shut the weak service.
Manual patching is outdated. It’s sluggish, error-prone, and hard to scale.
Join Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how fashionable groups use automation to patch quicker, lower threat, keep compliant, and skip the complicated scripts.