Cisco patches max-severity flaw allowing arbitrary command execution

Cisco is urging customers to patch for a maximum-severity flaw affecting its IOS XE Software for Wireless controllers.

The flaw, tracked as CVE-2025-20188, received a severity rating of CVSS 10/10 because of its high exploitability and the ability to allow arbitrary command execution.

“A vulnerability in the Out-Of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthorized, remote attacker to upload arbitrary files to an affected system,” Cisco said in an advisory.

Successful exploitation of the flaw could allow attackers to upload files, perform path traversal, and execute arbitrary commands with root privileges.

Non-WLC instances remain unaffected

According to the advisory, customers running IOS XE Software instances on devices that aren’t functioning as WLCs aren’t vulnerable.

The flaw only affects WLC instances that include products like Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controller on Catalyst APs. Additionally, Cisco noted that for the exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device, which isn’t a default setting.

The said requirements strike off some widely used Cisco products from the vulnerable products list, including IOS Software, IOS XR Software, Meraki products, NX-OS Software, and WLC AireOS Software.

While a workaround isn’t available, the company recommended that administrators disable the Out-of-Band AP Image Download feature as a mitigation, which might affect mass AP upgrades. An AP upgrade refers to updating the firmware or software image on a wireless access point (AP).

A patch is now available

Cisco has released software updates to address the flaw and is advising customers with service contracts entitled to regular updates to apply patches as they receive them.

Customers without a service contract are advised to obtain the upgrades by contacting Cisco TAC. This includes customers who either purchase directly from Cisco but do not hold a service contract, or the ones who purchase from third-party vendors but did not obtain a fix from them.

For others unable to update to a fixed version for various reasons, Cisco recommended practicing caution before implementing other mitigations. “Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment,” the company said. Customers were also advised to use Cisco Software Checker to determine their exposure to the vulnerability. Cisco said that its product security incident response team (PSIRT) isn’t yet aware of any active exploitation of the flaw, which was discovered during an internal security testing.