Horizon3 Details Critical File Upload Vulnerability in Cisco IOS XE WLC (CVE-2025-20188, CVSS 10)

A critical vulnerability—CVE-2025-20188—has been disclosed in Cisco IOS XE Wireless LAN Controller (WLC) software, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution (RCE). Security researchers from Horizon3 published an in-depth technical breakdown of the flaw, awarding it a CVSS score of 10, the highest severity rating.

The vulnerability affects Cisco IOS XE WLC version 17.12.03 and earlier, and stems from the use of a hard-coded JSON Web Token (JWT) secret used in backend Lua scripts that handle file uploads. As the Horizon3 team explained:

“The issue was described as an unauthenticated arbitrary file upload, caused by the presence of a hard-coded JSON Web Token (JWT).”

By analyzing the ISO files of the vulnerable and patched versions (C9800-CL-universalk9.17.12.03.iso vs 17.12.04), the researchers were able to extract and explore the web application code using OpenResty, identifying key scripts such as ewlc_jwt_verify.lua and ewlc_jwt_upload_files.lua that govern the file upload logic.

The attack vector revolves around the /ap_spec_rec/upload/ endpoint served on port 8443, which is publicly exposed in some configurations. The scripts blindly trust a JWT token, and:

“Nothing is preventing us from using .. for path traversal, so the next question is: where should we place the file?”

The attackers discovered that by crafting the right file path—e.g., ../../usr/binos/openresty/nginx/html/foo.txt—they could upload arbitrary files to web-accessible directories. But they didn’t stop there.

The researchers then leveraged an internal process watcher script, pvp.sh, which monitors certain directories using inotifywait. This allowed them to trigger service reloads by modifying configuration files—leading to remote code execution.

“In short, for RCE we’ll need to… overwrite the existing config file with our own commands… upload a new file to cause the services to be reloaded… check if we succeeded.”

Cisco has addressed this vulnerability in newer versions of IOS XE WLC. However, for users who cannot upgrade immediately, Horizon3 relayed Cisco’s advice:

“Administrators can disable the Out-of-Band AP Image Download feature… Cisco strongly recommends implementing this mitigation until an upgrade can be performed.”

This recommendation is crucial as port 8443 was found to be open by default in some fresh installations—leaving vulnerable endpoints exposed even without user intervention.

Related Posts:

• Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
• Cisco releases the security updates to fix RCE flaw in Cisco IOS XE Software
• Cisco Smart Install Protocol was misused, tens of thousands of critical infrastructure may be attacked
• XE Group Exploits Zero-Day Vulnerabilities in VeraCore – CVE-2024-57968 & CVE-2025-25181