Unauthenticated Arbitrary File Upload and Root RCE in Cisco IOS XE Wireless LAN Controllers
CVE-2025-20188 is a critical vulnerability in Cisco IOS XE Software for Wireless LAN Controllers (WLCs) affecting the Out-of-Band Access Point (AP) Image Download, Clean Air Spectral Recording, and client debug bundles functionality. The issue is caused by the presence of a hard-coded JSON Web Token (JWT) used by the AP file upload interface. Because the token is embedded in the affected system, a remote unauthenticated attacker can craft valid HTTPS requests to the upload interface and bypass intended authorization checks. Successful exploitation allows arbitrary file upload; due to insufficient path validation, the issue can also be leveraged for path traversal, enabling placement of files outside the intended directory. Cisco and supporting reporting indicate this can be chained to arbitrary command execution with root privileges on the affected controller.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
100 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A maximum-severity Cisco IOS XE Wireless Controller flaw due to a hard-coded JWT that enables unauthenticated remote arbitrary file upload and potential root-level compromise.
A hardcoded JWT secret in Cisco IOS XE wireless controllers allowed attackers to authenticate as administrators and gain full control. All affected devices were vulnerable until patched due to the inability to rotate the secret.
A critical arbitrary file upload vulnerability in Cisco IOS XE on Catalyst wireless LAN controllers allows remote unauthenticated attackers to execute code as root.
A remote code execution vulnerability in Cisco IOS XE caused by a hardcoded JWT token and path traversal. The article discusses a misleading or broken PoC using a different upload endpoint and nonfunctional payload.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.