Cisco announced security patches for 35 vulnerabilities across its IOS, IOS XE, Catalyst Center, and SD-WAN Manager products, addressing critical, high, and medium-severity flaws. The most severe vulnerability, CVE-2025-20188, allows remote file uploads and arbitrary command execution on Wireless LAN Controllers with the Out-of-Band AP image download feature enabled (Affected: Cisco networking devices and management systems)
Keypoints :
- Cisco released patches for 35 security vulnerabilities, including critical, high, and medium-severity bugs.
- The critical vulnerability (CVE-2025-20188) involves an arbitrary file upload flaw in IOS XE, allowing remote code execution without authentication, impacting Wi-Fi controllers with a specific feature enabled.
- High-severity issues include command injection, privilege escalation, and DoS vulnerabilities, some exploitable without authentication.
- Medium-severity flaws could enable CSRF attacks, configuration data access, traffic filtering bypasses, and DoS conditions.
- Additional updates address vulnerabilities in Ciscoβs Catalyst Center and SD-WAN Manager, including privilege escalation and configuration modification bugs.
- Cisco has not patched a certain ACL bypass vulnerability in some switch models, due to unsupported configurations, but proof-of-concept code exists for other medium-severity issues.
- Users are advised to apply the patches promptly, especially as some vulnerabilities, including a high-severity SSH flaw, have proof-of-concept exploitation in the wild.
Read More: https://www.securityweek.com/cisco-patches-35-vulnerabilities-across-several-products/