Cisco fixes max severity IOS XE flaw letting attackers hijack devices

Cisco has fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices. This token is meant to authenticate requests to a feature called 'Out-of-Band AP Image Download.' Since it's hard-coded, anyone can impersonate an authorized user without credentials. The vulnerability is tracked as CVE-2025-20188 and has a maximum 10.0 CVSS score, allowing threat actors to fully compromise devices according to the vendor. "An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface," reads Cisco's bulletin. "A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges." It is noted that CVE-2025-20188 is only exploitable when the 'Out-of-Band AP Image Download' feature is enabled on the device, which isn't enabled by default. The 'Out-of-Band ... Read full article.