[CVE-2025-20188] Critical Vulnerability in Cisco IOS XE Wireless Controller Software
Frederico Hakamine
Technology Evangelist, Axonius
TL;DR: This post provides steps to identify and fix Cisco Appliances (Software and Hardware) impacted by the CVE-2025-20188. |
Last update: 13:00 ET, May 8, 2025
Summary
On 2025 May 7 16:00 GMT, Cisco issued a security advisory regarding a critical vulnerability (CVE-2025-20188: CVSS 3.1 base score of 10.0, CVSS 4.0 pending) affecting both software and hardware appliances using the Cisco IOS XE software for Wireless LAN Controllers (WLCs).
This vulnerability is caused by the presence of a hard-coded credential (JSON Web Token (JWT) format) that could allow an unauthenticated attacker to upload arbitrary files to an affected system. While there are no confirmations if the vulnerability is being actively exploited yet (as of 9:30am ET, May 8, 2025), the vulnerability is scored as 10.0 due to its technical nature.
Impacted systems
For updates, visit the Cisco Security Advisory.
Vulnerable products
- Systems running Cisco IOS XE with WLCs with Out-of-Band AP Image Download feature enabled
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
NOT impacted
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- IOS Software
- IOS XE running on devices that are not functioning as WLCs and not listed in the Vulnerable Products section of this advisory
- IOS XR Software
- Meraki products
- NX-OS Software
- WLC AireOS Software
How to identify affected systems with Axonius
Before beginning, run a complete discovery (highly recommended!).
Note: This will ensure that you get the latest relevant snapshot of your environment.
To do so, access the Axonius Platform as an admin and click Discover Now (located in the top-right corner of the Axonius dashboard)
Through the Vulnerability ID (CVE-2025-20188)
Go to Assets > Devices and then search for assets with the Vuln ID: CVE-2025-20188
("specific_data.data.software_cves.cve_id" == regex("CVE\-2025\-20188", "i")) |
The result will display devices (inclusive of network equipment) with the vulnerability.
Through asset characteristics (not caught by your scanners)
Important: Given the recency of this vulnerability and potential vulnerability scanner issues (scanner run cadence and deployment coverage), we highly encourage customers to identify potentially impacted hosts by checking asset characteristics like OS version or presence identified by Cisco DNA. |
1. Identify impacted assets managed by the Cisco Catalyst Center (formerly known as Cisco DNA Center):
Go to Assets > Devices and then search for assets with an existing ID in Cisco Catalyst Center, OS: Type and Distribution equals Cisco IOS-XE, and Device Model Family equals Wireless Controller:
(("adapters_data.cisco_dna_adapter.id" == ({"$exists":true,"$ne":""}))) and ("specific_data.data.os.type_distribution" == "Cisco IOS-XE") and ("specific_data.data.device_model_family" == "Wireless Controller") |
2. Identify impacted assets that are not managed by the Cisco Catalyst Center:
Go to Assets > Devices and then search for assets not present in Cisco Catalyst Center (or disregard this query if you don't have Cisco Catalyst Center) and with OS: Type and Distribution equals Cisco IOS-XE:
("specific_data.data.os.type_distribution" == "Cisco IOS-XE") and not (("adapters_data.cisco_dna_adapter.id" == ({"$exists":true,"$ne":""}))) |
From the results, open the asset and look for specific signals retrieved by other adapters in your asset inventory. Search for “catalyst” and “wireless.” In this example, the CMDB (ServiceNow) has a Product Model: Model attribute identifying the appliance model.
Return to Assets > Devices and complement the previous query with the extra signal you found. (for this example: ServiceNow's Product Model: Model contains wireless).
("specific_data.data.os.type_distribution" == "Cisco IOS-XE") and not (("adapters_data.cisco_dna_adapter.id" == ({"$exists":true,"$ne":""}))) and ("adapters_data.service_now_adapter.snow_product_model.model" == regex("wireless", "i")) |
After this step, you will have a list of devices (inclusive of network equipment: both hardware and virtual appliances) that match the list of vulnerable products reported by Cisco. From there, you need to confirm if they have the Out-of-Band AP Image Download feature enabled.
Confirm if assets are affected
For updates, visit the Cisco Security Advisory.
From the results gathered, mobilize your teams to confirm if the Out-of-Band AP Image Download feature is enabled.
You can do this in 3 ways:
Via the Enforcement Center actions
By creating a ticket in their systems
By exporting a CSV and sharing it directly with them
Run the step recommended by Cisco (using the show running-config | include ap upgrade command) to confirm if the Out-of-Band AP Image Download feature is enabled (and therefore affected by this vulnerability).
Workarounds and remediation steps
For updates, visit the Cisco Security Advisory.
According to Cisco:
Workarounds: There are no workarounds that address this vulnerability.
Mitigations:
Administrators can disable the Out-of-Band AP Image Download feature: With this feature disabled, AP image download will use the CAPWAP method for the AP image update feature, and this does not impact the AP client state.
Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed.
Remediation: Cisco has released free software updates to address the vulnerability.
Learn More
External resources:
Axonius:
If you're not an Axonius customer and want to know more about how we can help you, schedule a meeting with a security specialist.
Categories
- Threats & Vulnerabilities
Get Started
Discover what’s achievable with a product demo, or talk to an Axonius representative.