Vulnerability-Lookup

CVE-2025-20188 (GCVE-0-2025-20188)

Vulnerability from cvelistv5 – Published: 2025-05-07 17:34 – Updated: 2025-06-06 16:24

Summary

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-798 - Use of Hard-coded Credentials

Assigner

cisco

References

URL

	Vendor	Product	Version
	Cisco	Cisco IOS XE Software	Affected: 17.11.1 Affected: 17.12.1 Affected: 17.12.2 Affected: 17.12.3 Affected: 17.13.1 Affected: 17.14.1 Affected: 17.11.99SW

GHSA-489Q-H7V6-2626

Vulnerability from github – Published: 2025-05-07 18:30 – Updated: 2025-06-04 15:30

Details

A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.

This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.

Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default.

Severity ?

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-20188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T18:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.\n\n This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. \n\n Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default.",
  "id": "GHSA-489q-h7v6-2626",
  "modified": "2025-06-04T15:30:27Z",
  "published": "2025-05-07T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20188"
    },
    {
      "type": "WEB",
      "url": "https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-20188

Vulnerability from fstec - Published: 07.05.2025

Title

Уязвимость функции загрузки образа точки доступа (AP) операционной системы Cisco IOS XE контроллеров беспроводной локальной сети (WLC), позволяющая нарушителю выполнять произвольные команды

Description

Уязвимость функции загрузки образа точки доступа (AP) операционной системы Cisco IOS XE контроллеров беспроводной локальной сети (WLC) связана с наличием жестко закодированного JSON Web Token (JWT). Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнять произвольные команды путем отправки специально сформированных HTTPS-запросов

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor

Cisco Systems Inc.

Software Name

Cisco IOS XE

Software Version

17.9.1 (Cisco IOS XE), 17.11.1 (Cisco IOS XE), 17.12.1 (Cisco IOS XE), 17.11.99SW (Cisco IOS XE), 17.10.1 (Cisco IOS XE), 17.10.1b (Cisco IOS XE), 17.8.1 (Cisco IOS XE), 17.9.2 (Cisco IOS XE), 17.9.3 (Cisco IOS XE), 17.9.4 (Cisco IOS XE), 17.9.4a (Cisco IOS XE), 17.7.1 (Cisco IOS XE), 17.12.2 (Cisco IOS XE), 17.13.1 (Cisco IOS XE), 17.14.1 (Cisco IOS XE), 17.9.5 (Cisco IOS XE), 17.12.3 (Cisco IOS XE)

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - отключение функции загрузки образов операционной системы на точки доступа (AP) по внешнему каналу; - использование межсетевого экрана уровня приложений (WAF) для фильтрации HTTP-трафика; - сегментирование сети с целью ограничения доступа к уязвимому устройству из других подсетей; - использование систем обнаружения и предотвращения вторжений для обнаружения (выявления, регистрации) и реагирования на попытки эксплуатации уязвимостей; - использование SIEM-систем для отслеживания попыток эксплуатации уязвимости; - ограничение доступа к устройству из внешних сетей (Интернет). Использование рекомендаций: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC

Reference

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/

CWE

CWE-798

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Cisco Systems Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "17.9.1 (Cisco IOS XE), 17.11.1 (Cisco IOS XE), 17.12.1 (Cisco IOS XE), 17.11.99SW (Cisco IOS XE), 17.10.1 (Cisco IOS XE), 17.10.1b (Cisco IOS XE), 17.8.1 (Cisco IOS XE), 17.9.2 (Cisco IOS XE), 17.9.3 (Cisco IOS XE), 17.9.4 (Cisco IOS XE), 17.9.4a (Cisco IOS XE), 17.7.1 (Cisco IOS XE), 17.12.2 (Cisco IOS XE), 17.13.1 (Cisco IOS XE), 17.14.1 (Cisco IOS XE), 17.9.5 (Cisco IOS XE), 17.12.3 (Cisco IOS XE)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n \n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u043e\u0431\u0440\u0430\u0437\u043e\u0432 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043d\u0430 \u0442\u043e\u0447\u043a\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (AP) \u043f\u043e \u0432\u043d\u0435\u0448\u043d\u0435\u043c\u0443 \u043a\u0430\u043d\u0430\u043b\u0443;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 (WAF) \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 HTTP-\u0442\u0440\u0430\u0444\u0438\u043a\u0430;\n- \u0441\u0435\u0433\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0435\u0442\u0438 \u0441 \u0446\u0435\u043b\u044c\u044e \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0443 \u0438\u0437 \u0434\u0440\u0443\u0433\u0438\u0445 \u043f\u043e\u0434\u0441\u0435\u0442\u0435\u0439;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f (\u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f, \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438) \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 SIEM-\u0441\u0438\u0441\u0442\u0435\u043c \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0443 \u0438\u0437 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442).\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "07.05.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "10.09.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "09.05.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-05297",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-20188",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Cisco IOS XE",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Cisco Systems Inc. Cisco IOS XE 17.9.1 , Cisco Systems Inc. Cisco IOS XE 17.11.1 , Cisco Systems Inc. Cisco IOS XE 17.12.1 , Cisco Systems Inc. Cisco IOS XE 17.11.99SW , Cisco Systems Inc. Cisco IOS XE 17.10.1 , Cisco Systems Inc. Cisco IOS XE 17.10.1b , Cisco Systems Inc. Cisco IOS XE 17.8.1 , Cisco Systems Inc. Cisco IOS XE 17.9.2 , Cisco Systems Inc. Cisco IOS XE 17.9.3 , Cisco Systems Inc. Cisco IOS XE 17.9.4 , Cisco Systems Inc. Cisco IOS XE 17.9.4a , Cisco Systems Inc. Cisco IOS XE 17.7.1 , Cisco Systems Inc. Cisco IOS XE 17.12.2 , Cisco Systems Inc. Cisco IOS XE 17.13.1 , Cisco Systems Inc. Cisco IOS XE 17.14.1 , Cisco Systems Inc. Cisco IOS XE 17.9.5 , Cisco Systems Inc. Cisco IOS XE 17.12.3 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u043e\u0431\u0440\u0430\u0437\u0430 \u0442\u043e\u0447\u043a\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (AP) \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Cisco IOS XE \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u043e\u0432 \u0431\u0435\u0441\u043f\u0440\u043e\u0432\u043e\u0434\u043d\u043e\u0439 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438 (WLC), \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0416\u0435\u0441\u0442\u043a\u043e\u0435 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-798)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u043e\u0431\u0440\u0430\u0437\u0430 \u0442\u043e\u0447\u043a\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (AP) \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Cisco IOS XE \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u043e\u0432 \u0431\u0435\u0441\u043f\u0440\u043e\u0432\u043e\u0434\u043d\u043e\u0439 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438 (WLC) \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0430\u043b\u0438\u0447\u0438\u0435\u043c \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e JSON Web Token (JWT). \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 HTTPS-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC\nhttps://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-798",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)"
}

CERTFR-2025-AVI-0378

Vulnerability from certfr_avis - Published: 2025-05-09 - Updated: 2025-05-09

De multiples vulnérabilités ont été découvertes dans les produits Cisco. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Cisco	Catalyst Center	Catalyst Center versions antérieures à 2.3.7.9
Cisco	Catalyst SD-WAN	Catalyst SD-WAN Manager versions 20.13.x, 20.14.x et 20.15.x antérieures à 20.15.2
Cisco	Catalyst SD-WAN	Catalyst SD-WAN Manager versions 20.16.x antérieures à 20.16.1
Cisco	IOS XR	IOS XR versions antérieures à 24.3.2
Cisco	WLC AireOS	WLC AireOS versions antérieures à 8.10.196.0
Cisco	Catalyst SD-WAN	Catalyst SD-WAN Manager versions antérieures à 20.9.7
Cisco	IOS XE	IOS XE : Se référer aux bulletins de sécurité de l'éditeur pour l'obtention des configurations vulnérables des équipements (cf. section Documentation).
Cisco	Catalyst SD-WAN	Catalyst SD-WAN Manager versions 20.10.x, 20.11.x et 20.12.x antérieures à 20.12.5

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-iosxe-ikev1-dos-XHk3HzFC	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-twamp-kV4FHugn	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-iosxe-privesc-su7scvdp	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-sisf-dos-ZGwt4DdY	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-webui-cmdinj-gVn3OKNC	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-ios-http-privesc-wCRd5e3	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-asr903-rsp3-arp-dos-WmfzdvJZ	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-ewlc-cdp-dos-fpeks9K	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-wlc-wncd-p6Gvt6HL	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-dnac-api-nBPZcJCM	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-c2960-3560-sboot-ZtqADrHq	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-multiprod-ikev2-dos-gPctUqv2	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-sdwan-priviesc-WCk7bmmt	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-wlc-file-uplpd-rHZG9UfC	2025-05-07	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-iosxe-dhcpsn-dos-xBn8Mtks	2025-05-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Catalyst Center versions ant\u00e9rieures \u00e0 2.3.7.9",
      "product": {
        "name": "Catalyst Center",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN Manager versions 20.13.x, 20.14.x et 20.15.x  ant\u00e9rieures \u00e0 20.15.2",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN Manager versions 20.16.x ant\u00e9rieures \u00e0 20.16.1",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "IOS XR  versions ant\u00e9rieures \u00e0 24.3.2",
      "product": {
        "name": "IOS XR",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "WLC AireOS versions ant\u00e9rieures \u00e0 8.10.196.0",
      "product": {
        "name": "WLC AireOS",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN Manager versions ant\u00e9rieures \u00e0 20.9.7",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "IOS XE : Se r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des configurations vuln\u00e9rables des \u00e9quipements (cf. section Documentation).",
      "product": {
        "name": "IOS XE",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN Manager versions 20.10.x, 20.11.x et 20.12.x ant\u00e9rieures \u00e0 20.12.5",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-20189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20189"
    },
    {
      "name": "CVE-2025-20192",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20192"
    },
    {
      "name": "CVE-2025-20199",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20199"
    },
    {
      "name": "CVE-2025-20191",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20191"
    },
    {
      "name": "CVE-2025-20188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20188"
    },
    {
      "name": "CVE-2025-20198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20198"
    },
    {
      "name": "CVE-2025-20181",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20181"
    },
    {
      "name": "CVE-2025-20122",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20122"
    },
    {
      "name": "CVE-2025-20202",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20202"
    },
    {
      "name": "CVE-2025-20210",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20210"
    },
    {
      "name": "CVE-2025-20162",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20162"
    },
    {
      "name": "CVE-2025-20200",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20200"
    },
    {
      "name": "CVE-2025-20154",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20154"
    },
    {
      "name": "CVE-2025-20140",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20140"
    },
    {
      "name": "CVE-2025-20201",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20201"
    },
    {
      "name": "CVE-2025-20186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20186"
    },
    {
      "name": "CVE-2025-20182",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20182"
    },
    {
      "name": "CVE-2025-20197",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20197"
    },
    {
      "name": "CVE-2025-20164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20164"
    }
  ],
  "initial_release_date": "2025-05-09T00:00:00",
  "last_revision_date": "2025-05-09T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0378",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-05-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Cisco. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Cisco",
  "vendor_advisories": [
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-iosxe-ikev1-dos-XHk3HzFC",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ikev1-dos-XHk3HzFC"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-twamp-kV4FHugn",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-iosxe-privesc-su7scvdp",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-privesc-su7scvdp"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-sisf-dos-ZGwt4DdY",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sisf-dos-ZGwt4DdY"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-webui-cmdinj-gVn3OKNC",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-gVn3OKNC"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-ios-http-privesc-wCRd5e3",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-privesc-wCRd5e3"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-asr903-rsp3-arp-dos-WmfzdvJZ",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr903-rsp3-arp-dos-WmfzdvJZ"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-ewlc-cdp-dos-fpeks9K",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-cdp-dos-fpeks9K"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-wlc-wncd-p6Gvt6HL",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-wncd-p6Gvt6HL"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-dnac-api-nBPZcJCM",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-api-nBPZcJCM"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-c2960-3560-sboot-ZtqADrHq",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c2960-3560-sboot-ZtqADrHq"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-multiprod-ikev2-dos-gPctUqv2",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multiprod-ikev2-dos-gPctUqv2"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-sdwan-priviesc-WCk7bmmt",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-priviesc-WCk7bmmt"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-wlc-file-uplpd-rHZG9UfC",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC"
    },
    {
      "published_at": "2025-05-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-iosxe-dhcpsn-dos-xBn8Mtks",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-dhcpsn-dos-xBn8Mtks"
    }
  ]
}

FKIE_CVE-2025-20188

Vulnerability from fkie_nvd - Published: 2025-05-07 18:15 - Updated: 2025-06-23 15:15

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	psirt@cisco.com	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC	Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
cisco	ios_xe	17.11.1
cisco	ios_xe	17.11.99sw
cisco	ios_xe	17.12.1
cisco	ios_xe	17.12.2
cisco	ios_xe	17.12.3
cisco	ios_xe	17.13.1
cisco	ios_xe	17.14.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F313F2EC-F3D6-4639-934C-402DDA3DA806",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.11.99sw:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F7C157F-5569-4072-805F-7AF598F6B56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.12.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BF0778B-015D-481B-BAC0-40667F3453D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.12.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE165207-A066-44C1-B78A-6EFD80023204",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.12.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "1098FCEA-6A9F-4634-A0EF-EC55ABCCEA3E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "8577AF01-F2C7-48D3-AB0B-78BD63A60029",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:17.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "31789E98-7C8D-4C5A-8A3F-FC9AFE9A248C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.\r\n\r This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.  An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en la funci\u00f3n de descarga de im\u00e1genes de puntos de acceso (AP) fuera de banda del software Cisco IOS XE para controladores de LAN inal\u00e1mbrica (WLC) podr\u00eda permitir que un atacante remoto no autenticado cargue archivos arbitrarios en un sistema afectado. Esta vulnerabilidad se debe a la presencia de un token web JSON (JWT) codificado de forma r\u00edgida en un sistema afectado. Un atacante podr\u00eda explotar esta vulnerabilidad enviando solicitudes HTTPS manipuladas a la interfaz de descarga de im\u00e1genes del AP. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante cargar archivos, atravesar rutas y ejecutar comandos arbitrarios con privilegios de root. Nota: Para que la explotaci\u00f3n sea exitosa, la funci\u00f3n de descarga de im\u00e1genes de AP fuera de banda debe estar habilitada en el dispositivo. No est\u00e1 habilitada por defecto."
    }
  ],
  "id": "CVE-2025-20188",
  "lastModified": "2025-06-23T15:15:11.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-07T18:15:38.617",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-20188 (GCVE-0-2025-20188)

GHSA-489Q-H7V6-2626

CVE-2025-20188

CERTFR-2025-AVI-0378

Solutions

FKIE_CVE-2025-20188

Tags

Sightings

Nomenclature