Technical details have been released for a recently patched critical-severity vulnerability in Cisco IOS XE that could be exploited for remote code execution (RCE).
Tracked as CVE-2025-20188 (CVSS score of 10/10), the bug is described as an arbitrary file upload that exists because of a hardcoded JSON Web Token (JWT).
Cisco announced fixes for the security defect on May 7, explaining that attackers could exploit it remotely, without authentication, by sending crafted HTTPS requests to the Out-of-Band Access Point (AP) image download interface of a vulnerable system.
Successful exploitation of the issue could allow attackers to perform path traversal, upload arbitrary files, and execute commands with root privileges, Cisco said, underlining that only systems with the Out-of-Band AP image download feature enabled are vulnerable.
The bug affects Catalyst 9800 series wireless controllers, Catalyst 9800-CL wireless controllers for cloud, the Catalyst 9800 embedded wireless controller for 9300, 9400, and 9500 series switches, and the embedded wireless controller for Catalyst APs, the company said.
Last week, Horizon3.ai published a technical analysis of the vulnerability, explaining that the vulnerable feature runs as a separate service on port 8443.
Horizon3.ai discovered that an attacker could achieve RCE by overwriting an existing configuration file with their own commands and then uploading a new file to a specific directory that would trigger a service restart.
“After digging through those services, we discovered an internal process management service (pvp.sh) that waits for files to be written to a specific directory. Once a change is detected, it can trigger a service reload based on the commands specified in the service’s config file,” the security firm explains.
Users are advised to upgrade to a patched Cisco IOS XE software release or disable the Out-of-Band AP image download feature if the upgrade cannot be performed.
Related: Veeam Patches Critical Vulnerability in Backup & Replication
Related: ChatGPT Tool Vulnerability Exploited Against US Government Organizations
Related: Critical OpenPGP.js Vulnerability Allows Spoofing
Related: Code Execution Flaw Found in Nuclei Vulnerability Scanner
