A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs), potentially allowing unauthenticated remote attackers to gain full control of affected devices.
The vulnerability, tracked as CVE-2025-20188, lets attackers upload arbitrary files and execute commands with root privileges, posing a severe threat to enterprise wireless networks worldwide.
Vulnerability Summary
The vulnerability arises from a hard-coded JSON Web Token (JWT) used in the Out-of-Band AP (Access Point) Image Download feature of Cisco IOS XE Software for WLCs.
.png
)
If this feature is enabled, a remote attacker could exploit the flaw via crafted HTTPS requests, permitting arbitrary file upload, path traversal, and ultimately, execution of system commands as root.
A successful attack would allow a malicious actor to take over the controller, potentially compromising every device and client it manages.
This could lead to unauthorized network access, data theft, and disruption of wireless services.
Administrators are strongly urged to disable the Out-of-Band AP Image Download feature as an immediate mitigation and apply the newly released software updates.
Affected Product Table
| Product Name | Conditions for Vulnerability | Associated CVE |
| Catalyst 9800-CL Wireless Controllers for Cloud | IOS XE WLC, Feature Enabled | |
| Catalyst 9800 Embedded Wireless Controller for Catalyst 9300/9400/9500 | IOS XE WLC, Feature Enabled | CVE-2025-20188 |
| Catalyst 9800 Series Wireless Controllers | IOS XE WLC, Feature Enabled | |
| Embedded Wireless Controller on Catalyst APs | IOS XE WLC, Feature Enabled |
Mitigation and Recommendations
As no direct workarounds are available, Cisco recommends the following:
- Disable Out-of-Band AP Image Download through CLI:
wlc# show running-config | include ap upgrade
ap upgrade method httpsIf the output shows ap upgrade method https, disable this feature immediately.
- Update Your Software: Apply Cisco’s patched releases available via regular update channels.
- Review Network Segmentation:Â Limit management interface exposure to only trusted networks.
Organizations running affected Cisco WLC platforms should assess their vulnerability exposure and update to the fixed software versions to prevent potential exploitation.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
, potentially allowing unauthenticated remote attackers.){kind=link}