Technical details on a maximum severity Cisco iOS XE WLC download of arbitrary files were followed as CVE-201025-20188 CVE-20125-20188 were made public, bringing us closer to a work feat.
The drafting of horizon3 researchers does not contain a script for proof of proof of concept RCE “ loan to use ”, but it provides enough information to a qualified attacker or even to an LLM to fill the missing parts.
Given the immediate risk of armaments and generalized use in attacks, it is recommended that impacted users take measures now to protect their parameters.
The cisco iOS xe WLC fault
Cisco disclosed the critical flaw in the iOS Xe software for wireless LAN controllers on May 7, 2025, which allows an attacker to take over devices.
The supplier said he was caused by a Hard Code JSON (JWT) token that allows an unauthenticated remote striker to download files, make a path crossing and execute arbitrary orders with root privileges.
The bulletin noted that CVE-201025-20188 is only dangerous when the out-of-band image download functionality is activated on the device, in which case the following devices are in danger:
- Catalyst Catalyst 9800-CL wireless controllers for cloud
- Catalyst 9800 wireless controller for switches from the Catalyst 9300, 9400 and 9500 series
- Wireless contractors of the Catalyst 9800 series series
- Integrated wireless controller on APS Catalyst
Horizon3 attack example
Horizon3 analysis shows that the defect exists due to a jwt rescue secret coded in hard (“notfound”) used by Lua Backend scripts to download assessment points combined with insufficient path validation.
More specifically, the Backend uses openresty scripts (LUA + Nginx) to validate JWT tokens and manage file downloads, but if the ‘ / TMP / NGINX_JWT_KEY’ file is missing, the script goes back to the “Pasfound” channel as the secret to check the JWT.
This essentially allows attackers to generate valid tokens without knowing secrets by simply using “HS256” and “Notfound”.
The example of Horizon3 sends a post http request with a file download at the termination point ‘ / AP_SPEC_REC /’ via port 8443 and uses the file path crossing to delete a harmless file (FOO.TXT) outside the provided directory.
Source: Horizon3
To degenerate the file download flaw to the execution of the remote code, the attacker can crush the configuration files charged by Backend services, submit web Shells or abuse monitored files to trigger unauthorized actions.
The example of a horizon3 abuses the ‘PvP.SH’ service which monitors specific directories, crushes the configuration files on which it depends and triggers recharging even to execute the attackers.
Given the high risk of operating, users are recommended to go to an corrected version (17.12.04 or more recent) as soon as possible.
As a temporary bypass solution, administrators can deactivate the out -of -band image download function to close the vulnerable service.
