Cisco has released security patches to fix a critical vulnerability (CVE-2025-20188) in its IOS XE Wireless Controller software that could allow attackers to gain root access. The flaw involves a hard-coded JSON Web Token (JWT) and affects systems with the Out-of-Band AP Image Download feature enabled, especially if configured to use HTTPS. (Affected: Cisco IOS XE Wireless Controller systems with the feature enabled)
Keypoints :
- Cisco has issued patches to address CVE-2025-20188, a high-severity security vulnerability in IOS XE Wireless Controllers.
- The vulnerability stems from a hard-coded JSON Web Token (JWT) that can be exploited via specific HTTPS requests.
- Successful exploitation can lead to full root access, file uploads, path traversal, and arbitrary command execution.
- The flaw affects systems with the Out-of-Band AP Image Download feature enabled, which is disabled by default but may be activated by administrators.
- There are no direct workarounds; disabling the vulnerable feature temporarily uses an alternative download method but may impact system functionality.
- Cisco recommends updating to the latest software versions and verifying device configurations to mitigate the risk.
- Users should consult Cisco support resources to ensure proper updates and understand the potential impacts of disabling features.
Read More: https://thecyberexpress.com/cisco-patches-cve-2025-20188/