Cisco Patches 35 Vulnerabilities Across Several Products - #CVE-2025-20188
Cisco has disclosed and addressed a critical vulnerability (CVE-2025-20188) in its IOS XE Wireless Controller Software, carrying a maximum CVSS score of 10. The flaw, stemming from a hard-coded JSON Web Token in the Out-of-Band Access Point Image Download feature, allows unauthenticated remote attackers to upload arbitrary files, perform path traversal, and execute commands with root privileges. Affected products include Catalyst 9800 Series Wireless Controllers and Embedded Wireless Controllers on Catalyst APs. While the vulnerable feature is disabled by default, Cisco strongly advises users to upgrade to the latest software release or disable the feature as a temporary mitigation. The vulnerability was discovered internally by Cisco's Advanced Security Initiatives Group, with no evidence of active exploitation in the wild. This critical flaw was part of a larger patch release addressing 35 vulnerabilities across Cisco products, emphasizing the importance of prompt system updates.
Menu
