EXECUTIVE SUMMARY:
A critical vulnerability in Cisco IOS XE Wireless LAN Controller software, tracked as CVE-2025-20188 with a CVSS score of 10, allows unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution by exploiting a hard-coded JSON Web Token (JWT) secret in backend Lua scripts. Researchers analyzed the affected and patched ISO versions, identifying that the flaw lies in the /ap_spec_rec/upload/ endpoint on port 8443, which blindly trusts JWTs and allows path traversal for arbitrary file placement. They further demonstrated how uploading malicious files and triggering internal service reloads via the pvp.sh watcher script could lead to full RCE, prompting Cisco to release a patch and advise disabling the Out-of-Band AP Image Download feature as a temporary mitigation.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical vulnerability in Cisco IOS XE Wireless LAN Controller software, tracked as CVE-2025-20188 with a CVSS score of 10, allows unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution by exploiting a hard-coded JSON Web Token (JWT) secret in backend Lua scripts. Researchers analyzed the affected and patched ISO versions, identifying that the flaw lies in the /ap_spec_rec/upload/ endpoint on port 8443, which blindly trusts JWTs and allows path traversal for arbitrary file placement. They further demonstrated how uploading malicious files and triggering internal service reloads via the pvp.sh watcher script could lead to full RCE, prompting Cisco to release a patch and advise disabling the Out-of-Band AP Image Download feature as a temporary mitigation.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]