The details about a 10.0 Cisco IOS XE Wireless LAN Controller (WLC) flaw that Cisco patched May 7 have been made public, bringing the industry closer to a working exploit and prompting security pros to tell teams to patch right away."This is a ‘drop everything and fix it’ kind of bug," said Casey Ellis, founder of Bugcrowd. "Waiting is not an option.”While a May 29 blog by Horizon3.ai researchers does not include a complete proof-of-concept (PoC), it does offer enough clues for a skilled threat actor or even an attacker armed with a large language model (LLM) to embellish the script and launch attacks.Jimi Sebree, attack team researcher at Horizon3.ai, explained that the flaw – CVE-20225-20188 – is a bug in Cisco IOS XE software caused by a hardcoded authentication token being used.In such a hardcoded token, authentication credentials such as usernames, passwords, or API keys are embedded into the app’s source code. This causes a security risk because the credentials are often left in plain text, making them vulnerable to attackers.“The bug lets attackers perform path traversal attacks, upload arbitrary files, and ultimately execute commands on affected devices,” said Sebree. “This results in a complete takeover of the device."Nic Adams, co-founder and CEO at 0rcus, explained that CVE-2025-20188 is a critical bug in Cisco’s IOS XE software for WLCs that’s derived from a hardcoded JSON Web Token (JWT) secret.For example, if the file /tmp/nginx_jwt_key is missing in the original code, Adams said the system defaults to using the string “notfound” as a JWT secret, which lets unauthenticated attackers craft valid JWTs and upload arbitrary files via the /ap_spec_rec/upload/ endpoint over HTTPS (port 8443).“By exploiting path traversal vulnerabilities, attackers place files outside the intended directory, with potential of overwriting critical configuration files or introducing malicious scripts,” said Adams. “Therefore, this leads to remote code execution (RCE) with root privileges … which can let attackers install persistent malware/backdoors, intercept or reroute network traffic, move laterally within the network to compromise additional systems, and disrupt network operations.”Bugcrowd's Ellis added that CVE-2025-20188 presents security professionals with a textbook example of why hardcoded secrets and insufficient validation are such dangerous anti-patterns in software security. Ellis said the use of "notfound" as a fallback JWT secret essentially defeats the entire purpose of token-based authentication.“It's like locking your front door, but leaving the key under the mat with a sign that says ‘key here,’" said Ellis. “The combination of this with weak path validation creates a perfect storm for attackers to exploit.”Ellis explained that by leveraging the predictable fallback secret, attackers can craft valid JWTs to bypass authentication. From there, the arbitrary file upload flaw lets attackers plant malicious files — web shells, altered configs, or other payloads — on the target system.Ellis added that Cisco IOS XE is widely deployed in enterprise and service provider environments, meaning a successful exploit could lead to significant disruption or compromise of sensitive data.“This is a 10.0 CVSS vulnerability for a reason — it's both easy to exploit and has severe consequences,” said Ellis. “For security teams, the priority is clear: patch immediately. If patching isn't feasible, in the short term, implement compensating controls like restricting access to the affected endpoints, monitoring for suspicious file uploads, and disabling unnecessary services.”
Vulnerability Management, Patch/Configuration Management
Cisco IOS XE bug rated 10.0: ‘Waiting is not an option,’ pros say
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds