Cisco Wireless LAN Controllers under threat again after critical exploit details go public – Source: www.csoonline.com

The heat is back on Wireless LAN Controllers (WLCs) running Cisco IOS XE after technical details of a recently disclosed max-severity exploit were made public.

A patch diffing performed by Horizon3.ai, a cybersecurity outfit specialized in pen-testing and attack simulation, revealed significant details about the flaw that potentially allows attackers to upload arbitrary files remotely.

“Given the severity and ease of exploitation, patching this vulnerability must be an immediate top priority for all organizations using Cisco IOS XE WLC devices,” said Shane Barne, CISO at Keeper Security.

According to the Horizon3 analysis, a hard-coded JSON Web Token (JWT) is at the root of the exploit. “It’s crucial to eliminate hard-coded secrets from authentication workflows, enforce robust file upload validation and path sanitization, and maintain continuous monitoring and patch management across all critical systems,” Barne added.

Diffing allowed locating hard-coded JWT

Tracked as CVE-2025-20188, the flaw disclosed earlier in May was revealed to be an issue affecting the Out-of-Band Access Point (AP) Download feature of Cisco IOS XE Software for WLCs. The AP image download interface uses a hard-coded JWT for authentication, which an attacker can use to authenticate requests without valid credentials.

Horizon3 researchers diffed file system contents from ISO images to arrive at the Lua scripts, where notable changes were found. The scripts referenced both JWT tokens and the associated key, indicating their involvement in the vulnerability. The researchers then performed a simple grep search across the source code to determine how and where these Lua scripts were invoked.

Researchers found that the vulnerability stems from a flawed fallback mechanism in the Lua script responsible for validating JWTs. When the script fails to locate a secret key, it defaults to using the hardcoded string “notfound” as the secret. An attacker can craft a JWT signed with the “notfound” secret to trigger fallback and bypass authentication.

“This vulnerability is a textbook example of why hardcoded secrets and insufficient validation are such dangerous anti-patterns in software security,” said BugCrowd founder Casey Ellis. “The use of ‘notfound’ as a fallback JWT secret essentially defeats the entire purpose of token-based authentication—it’s like locking your front door but leaving the key under the mat with a sign that says ‘key here.’”

A call for urgent patching

Cisco had patched the max severity flaw, CVSS 10 out of 10, in mid-May rollouts for customers with service contracts and through Cisco TAC for customers without service contracts.

Researchers recommended promptly upgrading to the latest version of the affected software, as no other workaround is available. “For security teams, the priority is clear: patch immediately,” Ellis noted. “If patching isn’t feasible in the short term, implement compensating controls like restricting access to the affected endpoints, monitoring for suspicious file uploads, and disabling unnecessary services. This is a ‘drop everything and fix it’ kind of bug—waiting is not an option.”