{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T00:36:17.376","vulnerabilities":[{"cve":{"id":"CVE-2025-20188","sourceIdentifier":"psirt@cisco.com","published":"2025-05-07T18:15:38.617","lastModified":"2025-06-23T15:15:11.117","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.\r\n\r This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.  An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."},{"lang":"es","value":"Una vulnerabilidad en la función de descarga de imágenes de puntos de acceso (AP) fuera de banda del software Cisco IOS XE para controladores de LAN inalámbrica (WLC) podría permitir que un atacante remoto no autenticado cargue archivos arbitrarios en un sistema afectado. Esta vulnerabilidad se debe a la presencia de un token web JSON (JWT) codificado de forma rígida en un sistema afectado. Un atacante podría explotar esta vulnerabilidad enviando solicitudes HTTPS manipuladas a la interfaz de descarga de imágenes del AP. Una explotación exitosa podría permitir al atacante cargar archivos, atravesar rutas y ejecutar comandos arbitrarios con privilegios de root. Nota: Para que la explotación sea exitosa, la función de descarga de imágenes de AP fuera de banda debe estar habilitada en el dispositivo. No está habilitada por defecto."}],"metrics":{"cvssMetricV31":[{"source":"psirt@cisco.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0}]},"weaknesses":[{"source":"psirt@cisco.com","type":"Secondary","description":[{"lang":"en","value":"CWE-798"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.11.1:*:*:*:*:*:*:*","matchCriteriaId":"F313F2EC-F3D6-4639-934C-402DDA3DA806"},{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.11.99sw:*:*:*:*:*:*:*","matchCriteriaId":"6F7C157F-5569-4072-805F-7AF598F6B56F"},{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.12.1:*:*:*:*:*:*:*","matchCriteriaId":"1BF0778B-015D-481B-BAC0-40667F3453D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.12.2:*:*:*:*:*:*:*","matchCriteriaId":"EE165207-A066-44C1-B78A-6EFD80023204"},{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.12.3:*:*:*:*:*:*:*","matchCriteriaId":"1098FCEA-6A9F-4634-A0EF-EC55ABCCEA3E"},{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.13.1:*:*:*:*:*:*:*","matchCriteriaId":"8577AF01-F2C7-48D3-AB0B-78BD63A60029"},{"vulnerable":true,"criteria":"cpe:2.3:o:cisco:ios_xe:17.14.1:*:*:*:*:*:*:*","matchCriteriaId":"31789E98-7C8D-4C5A-8A3F-FC9AFE9A248C"}]}]}],"references":[{"url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC","source":"psirt@cisco.com","tags":["Vendor Advisory"]},{"url":"https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}}]}