Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability

cisco-sa-wlc-file-uplpd-rHZG9UfC · Critical · Published · Updated

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.  An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.  Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Cisco advisory · CSAF JSON

Workarounds

There are two mitigations that are preferred for addressing this vulnerability for the two possible device configurations:
Impacted Features Not in Use
If the impacted features are not used, apply infrastructure access control lists (iACLs) to all interfaces and block the interface completely, as shown in the following example. This will completely mitigate the vulnerability.

wlc# show ap file-transfer https summary
Configured port : 8443 Operational port : 8443 wlc# show ip access-lists CVE-2025-20188 10 deny tcp any any eq 8443 20 permit ip any any
Impacted Features in Use
If the impacted features are used, to reduce the attack surface, apply iACLs to limit the AP file upload interface to the WLC to allow traffic from expected sources only. The following is an iACL example that can be included as part of the deployed iACL:

wlc# show ap file-transfer https summary
Configured port : 8443 Operational port : 8443 wlc# show ip access-lists CVE-2025-20188 10 deny tcp any INFRASTRUCTURE_ADDRESSES WILDCARD eq 8443 20 permit ip any any

For more guidelines and recommendations for deployment techniques for iACLs, see the white paper Protecting Your Core: Infrastructure Protection Access Control Lists ["https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html"].

There is also a workaround that addresses this vulnerability.

Manually triggering the AP client debug bundle once, as shown in the following example, will protect all affected features that use the AP file upload interface. Note that this workaround does not persist through reload and must be done any time the device is reloaded.

! Check and pick any one client in any AP associated with this WLC
wlc# show wireless client summary Number of Clients: 1 MAC Address AP Name Type ID State Protocol Method Role ------------------------------------------------------------------------------------------- 5eef.1000.0001 AP5EEF.1000.0003 WLAN 1 Run 11n(5) None Local Number of Excluded Clients: 0 ! Manually trigger the debug bundle once wlc# debug wireless bundle client mac 0100.5eef.1000.0001 Wireless Client debug bundle add event ! Get the site-tag wlc# show ap tag summary | inc AP5EEF.1000.0003|AP Name

AP Name AP Mac Site Tag Name Policy Tag Name RF Tag Name Misconfigured Tag Source
AP5EEF.1000.0003 5eef.1000.0003 ST1 policy-tag rf-tag No Static

! Be sure to change the monitor-time to 60 so this process will take 60 seconds and not longer
wlc# debug wireless bundle client start ap-archive site-tag ST1 level debug monitor-time 60 ! Stop debug bundle after 60 seconds wlc# debug wireless bundle client stop-all collect all ! A debug bundle should be generated and the workaround was successfully executed wlc# dir bootflash:completeCDB/* 2883591 -rw- 383488 Jan 6 2025 11:18:25 +00:00 wireless_bundle_0100.5eef.1000.0001.tar 96739794944 bytes total (75825774592 bytes free)

While these workarounds and mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2025-20188
Cisco Bug IDsCSCwk33139
CVSS ScoreBase 10.0
Base 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco IOS XE Software 17.11.1, Cisco IOS XE Software 17.12.1, Cisco IOS XE Software 17.12.2, Cisco IOS XE Software 17.12.3, Cisco IOS XE Software 17.13.1, Cisco IOS XE Software 17.14.1, Cisco IOS XE Software 17.11.99SW, Cisco IOS, Cisco IOS XE Software

Related Products

Product CVE Evidence
Cisco IOS CVE-2025-20188 Cisco OpenVuln
Cisco IOS XE Software CVE-2025-20188 Cisco OpenVuln
Cisco Catalyst 9600 Series Switches CVE-2025-20188 Cisco OpenVuln · software-dependent
Cisco Catalyst 9500 Series Switches CVE-2025-20188 Cisco OpenVuln · software-dependent
Cisco Catalyst 9400 Series Switches CVE-2025-20188 Cisco OpenVuln · software-dependent
Cisco Catalyst 9200 Series Switches CVE-2025-20188 Cisco OpenVuln · software-dependent
Cisco Catalyst 9300 Series Switches CVE-2025-20188 Cisco OpenVuln · software-dependent