CVE-2025-20188

{"id": "CVE-2025-20188", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2025-05-07T18:15:38.617", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}, {"url": "https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@cisco.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.\r\n\r This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."}, {"lang": "es", "value": "Una vulnerabilidad en la funci\u00f3n de descarga de im\u00e1genes de puntos de acceso (AP) fuera de banda del software Cisco IOS XE para controladores de LAN inal\u00e1mbrica (WLC) podr\u00eda permitir que un atacante remoto no autenticado cargue archivos arbitrarios en un sistema afectado. Esta vulnerabilidad se debe a la presencia de un token web JSON (JWT) codificado de forma r\u00edgida en un sistema afectado. Un atacante podr\u00eda explotar esta vulnerabilidad enviando solicitudes HTTPS manipuladas a la interfaz de descarga de im\u00e1genes del AP. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante cargar archivos, atravesar rutas y ejecutar comandos arbitrarios con privilegios de root. Nota: Para que la explotaci\u00f3n sea exitosa, la funci\u00f3n de descarga de im\u00e1genes de AP fuera de banda debe estar habilitada en el dispositivo. No est\u00e1 habilitada por defecto."}], "lastModified": "2025-06-23T15:15:11.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cisco:ios_xe:17.11.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F313F2EC-F3D6-4639-934C-402DDA3DA806"}, {"criteria": "cpe:2.3:o:cisco:ios_xe:17.11.99sw:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F7C157F-5569-4072-805F-7AF598F6B56F"}, {"criteria": "cpe:2.3:o:cisco:ios_xe:17.12.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BF0778B-015D-481B-BAC0-40667F3453D3"}, {"criteria": "cpe:2.3:o:cisco:ios_xe:17.12.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE165207-A066-44C1-B78A-6EFD80023204"}, {"criteria": "cpe:2.3:o:cisco:ios_xe:17.12.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1098FCEA-6A9F-4634-A0EF-EC55ABCCEA3E"}, {"criteria": "cpe:2.3:o:cisco:ios_xe:17.13.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8577AF01-F2C7-48D3-AB0B-78BD63A60029"}, {"criteria": "cpe:2.3:o:cisco:ios_xe:17.14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31789E98-7C8D-4C5A-8A3F-FC9AFE9A248C"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com"}