CVE-2025-20188

CRITICAL EXPLOITED NUCLEI

Cisco IOS XE - Unauthenticated Arbitrary File Upload and Remote Code Execution via Hard-coded JWT

Title source: llm

Exploitation Summary

CVE-2025-20188 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including iSee857. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2025-20188 targeting Cisco IOS XE WLC, demonstrating remote code execution via session manipulation and command injection. The PoC includes a multi-threaded scanner for detecting vulnerable instances.

Description

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.

Exploits (1)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/CiscoIOSXEWLC-CVE-2025-20188-uploadToRce.py

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2025-20188 targeting Cisco IOS XE WLC, demonstrating remote code execution via session manipulation and command injection. The PoC includes a multi-threaded scanner for detecting vulnerable instances.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cisco IOS XE Wireless LAN Controller (WLC)

No auth needed

Prerequisites: Network access to the target · Target running vulnerable Cisco IOS XE WLC

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Cisco IOS XE WLC - Arbitrary File Upload

CRITICALVERIFIEDby iamnoooob,pdresearch,DhiyaneshDK

Shodan: http.html_hash:1076109428 ssl.cert.issuer.cn:"IOS-Self-Signed-Certificate" port:8443

FOFA: "IOS-Self-Signed-Certificate" && port="8443"

References (2)

Core 2

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC

Exploit, Third Party Advisory

https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/

Scores

CVSS v3 10.0

EPSS 0.0462

EPSS Percentile 89.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-06-10

CWE

CWE-798

Status published

Products (7)

cisco/ios_xe 17.11.1

cisco/ios_xe 17.11.99sw

cisco/ios_xe 17.12.1

cisco/ios_xe 17.12.2

cisco/ios_xe 17.12.3

cisco/ios_xe 17.13.1

cisco/ios_xe 17.14.1

Published May 07, 2025

Tracked Since Feb 18, 2026