FKIE_CVE-2025-20188

Vulnerability from fkie_nvd - Published: 2025-05-07 18:15 - Updated: 2025-06-23 15:15
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
References
psirt@cisco.comhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfCVendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/Exploit, Third Party Advisory
Impacted products
Vendor Product Version
cisco ios_xe 17.11.1
cisco ios_xe 17.11.99sw
cisco ios_xe 17.12.1
cisco ios_xe 17.12.2
cisco ios_xe 17.12.3
cisco ios_xe 17.13.1
cisco ios_xe 17.14.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F313F2EC-F3D6-4639-934C-402DDA3DA806",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.11.99sw:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F7C157F-5569-4072-805F-7AF598F6B56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.12.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BF0778B-015D-481B-BAC0-40667F3453D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.12.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE165207-A066-44C1-B78A-6EFD80023204",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.12.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "1098FCEA-6A9F-4634-A0EF-EC55ABCCEA3E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "8577AF01-F2C7-48D3-AB0B-78BD63A60029",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "31789E98-7C8D-4C5A-8A3F-FC9AFE9A248C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.\r\n\r This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.  An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en la funci\u00f3n de descarga de im\u00e1genes de puntos de acceso (AP) fuera de banda del software Cisco IOS XE para controladores de LAN inal\u00e1mbrica (WLC) podr\u00eda permitir que un atacante remoto no autenticado cargue archivos arbitrarios en un sistema afectado. Esta vulnerabilidad se debe a la presencia de un token web JSON (JWT) codificado de forma r\u00edgida en un sistema afectado. Un atacante podr\u00eda explotar esta vulnerabilidad enviando solicitudes HTTPS manipuladas a la interfaz de descarga de im\u00e1genes del AP. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante cargar archivos, atravesar rutas y ejecutar comandos arbitrarios con privilegios de root. Nota: Para que la explotaci\u00f3n sea exitosa, la funci\u00f3n de descarga de im\u00e1genes de AP fuera de banda debe estar habilitada en el dispositivo. No est\u00e1 habilitada por defecto."
    }
  ],
  "id": "CVE-2025-20188",
  "lastModified": "2025-06-23T15:15:11.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-07T18:15:38.617",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.