{"id":3420,"date":"2025-06-03T12:13:31","date_gmt":"2025-06-03T12:13:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3420"},"modified":"2025-06-03T12:13:31","modified_gmt":"2025-06-03T12:13:31","slug":"cisco-wireless-lan-controllers-under-threat-again-after-critical-exploit-details-go-public","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3420","title":{"rendered":"Cisco Wireless LAN Controllers under threat again after critical exploit details go public"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The heat is back on Wireless LAN Controllers (WLCs) running Cisco IOS XE after technical details of a recently disclosed max-severity exploit were made public.<\/p>\n

A patch diffing performed by Horizon3.ai, a cybersecurity outfit specialized in pen-testing and attack simulation, revealed significant details about the flaw that potentially allows attackers to upload arbitrary files remotely<\/a>.<\/p>\n

\u201cGiven the severity and ease of exploitation, patching this vulnerability must be an immediate top priority for all organizations using Cisco IOS XE WLC devices,\u201d said Shane Barne, CISO at Keeper Security.<\/p>\n

According to the Horizon3 analysis<\/a>, a hard-coded JSON Web Token (JWT) is at the root of the exploit. \u201cIt\u2019s crucial to eliminate hard-coded secrets from authentication workflows, enforce robust file upload validation and path sanitization, and maintain continuous monitoring and patch management across all critical systems,\u201d Barne added.<\/p>\n

<\/a>Diffing allowed locating hard-coded JWT<\/h2>\n

Tracked as CVE-2025-20188, the flaw disclosed earlier in May was revealed to be an issue<\/a> affecting the Out-of-Band Access Point (AP) Download feature of Cisco IOS XE Software for WLCs. The AP image download interface uses a hard-coded JWT for authentication, which an attacker can use to authenticate requests without valid credentials.<\/p>\n

Horizon3 researchers diffed<\/a> file system contents from ISO images to arrive at the Lua scripts, where notable changes were found. The scripts referenced both JWT tokens and the associated key, indicating their involvement in the vulnerability. The researchers then performed a simple grep search across the source code to determine how and where these Lua scripts were invoked.<\/p>\n

Researchers found that the vulnerability stems from a flawed fallback mechanism in the Lua script responsible for validating JWTs. When the script fails to locate a secret key, it defaults to using the hardcoded string \u201cnotfound\u201d as the secret. An attacker can craft a JWT signed with the \u201cnotfound\u201d secret to trigger fallback and bypass authentication.<\/p>\n

\u201cThis vulnerability is a textbook example of why hardcoded secrets and insufficient validation are such dangerous anti-patterns in software security,\u201d said BugCrowd founder Casey Ellis. \u201cThe use of \u2018notfound\u2019 as a fallback JWT secret essentially defeats the entire purpose of token-based authentication\u2014it\u2019s like locking your front door but leaving the key under the mat with a sign that says \u2018key here.\u2019\u201d<\/p>\n

A call for urgent patching<\/strong><\/h2>\n

Cisco had patched the max severity flaw, CVSS 10 out of 10, in mid-May rollouts for customers with service contracts and through Cisco TAC<\/a> <\/em>for customers without service contracts.<\/p>\n

Researchers recommended promptly upgrading to the latest version of the affected software, as no other workaround is available. \u201cFor security teams, the priority is clear: patch immediately,\u201d Ellis noted. \u201cIf patching isn\u2019t feasible in the short term, implement compensating controls like restricting access to the affected endpoints, monitoring for suspicious file uploads, and disabling unnecessary services. This is a \u2018drop everything and fix it\u2019 kind of bug\u2014waiting is not an option.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The heat is back on Wireless LAN Controllers (WLCs) running Cisco IOS XE after technical details of a recently disclosed max-severity exploit were made public. A patch diffing performed by Horizon3.ai, a cybersecurity outfit specialized in pen-testing and attack simulation, revealed significant details about the flaw that potentially allows attackers to upload arbitrary files remotely. […]<\/p>\n","protected":false},"author":0,"featured_media":3421,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3420","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3420"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3420"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3420\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3421"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3420"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3420"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}