Critical Cisco IOS XE Vulnerability Allows Arbitrary File Upload – PoC Released
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security vulnerability in Cisco IOS XE Wireless Controller Software has emerged as a significant threat to enterprise networks, with researchers releasing proof-of-concept (PoC) exploit code that demonstrates how attackers can achieve remote code execution with root privileges.
The vulnerability, tracked as CVE-2025-20188, has been assigned the maximum CVSS score of 10.0, highlighting its severe impact on affected systems.
Cisco disclosed this vulnerability on May 7, 2025, affecting multiple enterprise-grade wireless controller products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers, and Catalyst 9800 Series Wireless Controllers.
The flaw stems from a hard-coded JSON Web Token (JWT) present in the Out-of-Band Access Point (AP) Image Download feature, allowing unauthenticated remote attackers to bypass authentication mechanisms and upload arbitrary files to vulnerable systems.
Hard-Coded Authentication Flaw
Security researchers at Horizon3.ai conducted an in-depth analysis comparing vulnerable and patched firmware images, discovering the root cause within the Lua scripting components of the OpenResty web platform.
The vulnerability lies in the ewlc_jwt_verify.lua and ewlc_jwt_upload_files.lua scripts located in /var/scripts/lua/features/, which handle JWT verification and file upload operations, respectively.
The authentication bypass occurs when the JWT verification script reads a secret key from /tmp/nginx_jwt_key. If this file is missing, the system defaults to using a hard-coded value of “notfound” as the secret, effectively creating a backdoor authentication mechanism.
This design flaw allows attackers to craft valid JWTs using the known secret and bypass security controls entirely.
The vulnerable endpoints include /aparchive/upload and /ap_spec_rec/upload/, which are configured in the nginx configuration file /usr/binos/conf/nginx-conf/https-only/ap-conf/ewlc_auth_jwt.conf.
These endpoints process file uploads with client body sizes up to 1536MB and 500MB, respectively, providing ample opportunity for malicious payload delivery.
Risk Factors Details Affected Products– Catalyst 9800-CL Wireless Controllers for Cloud- Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300/9400/9500 Series Switches- Catalyst 9800 Series Wireless Controllers- Embedded Wireless Controller on Catalyst APsImpactRemote code execution with root privilegesExploit Prerequisites1. Out-of-Band AP Image Download feature enabled
2. Attacker sends crafted HTTPS requests to /aparchive/upload or /ap_spec_rec/upload/ endpoints
3. Use of hard-coded JWT secret “notfound” for authentication bypassCVSS 3.1 Score10.0 (Critical)
Proof-of-Concept
The released PoC demonstrates how attackers can leverage path traversal techniques to place files in arbitrary locations on the target system.
Researchers successfully uploaded files using the filename parameter “../../usr/binos/openresty/nginx/html/foo.txt”, effectively bypassing directory restrictions through relative path manipulation.
To achieve remote code execution, attackers can exploit the internal process management service (pvp.sh) that monitors file changes using inotifywait.
The researchers demonstrated this technique by modifying service configuration files and successfully extracting the /etc/passwd file, confirming complete system compromise.
The exploit requires the JWTReqId header to be set to ‘cdb_token_request_id1’, which researchers discovered through reverse engineering of the shared library /usr/binos/lib64/libewlc_apmgr.so.
This level of technical detail in the public disclosure significantly lowers the barrier for potential attackers.
Mitigation
Cisco has released software updates addressing this vulnerability and strongly recommends immediate patching.
Organizations unable to patch immediately should disable the Out-of-Band AP Image Download feature, which forces AP image downloads to use the CAPWAP method instead.
This mitigation does not impact AP client operations but effectively eliminates the attack vector.
Security experts emphasize that while the vulnerable feature is disabled by default, many enterprise deployments may have enabled it for faster AP provisioning.
Organizations should immediately audit their Cisco wireless infrastructure to identify exposed systems and apply appropriate remediation measures before attackers can exploit this critical vulnerability in production environments.
#Cisco #Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
Critical Cisco IOS XE Vulnerability Allows Arbitrary File Upload – PoC Released
Author: KaaviyaA critical security vulnerability in Cisco IOS XE Wireless Controller Software has emerged as a significant threat to enterprise networks, with researchers releasing proof-of-concept (PoC) exploit code that demonstrates how attackers can achieve remote code execution with root privileges.
The vulnerability, tracked as CVE-2025-20188, has been assigned the maximum CVSS score of 10.0, highlighting its severe impact on affected systems.
Cisco disclosed this vulnerability on May 7, 2025, affecting multiple enterprise-grade wireless controller products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers, and Catalyst 9800 Series Wireless Controllers.
The flaw stems from a hard-coded JSON Web Token (JWT) present in the Out-of-Band Access Point (AP) Image Download feature, allowing unauthenticated remote attackers to bypass authentication mechanisms and upload arbitrary files to vulnerable systems.
Hard-Coded Authentication Flaw
Security researchers at Horizon3.ai conducted an in-depth analysis comparing vulnerable and patched firmware images, discovering the root cause within the Lua scripting components of the OpenResty web platform.
The vulnerability lies in the ewlc_jwt_verify.lua and ewlc_jwt_upload_files.lua scripts located in /var/scripts/lua/features/, which handle JWT verification and file upload operations, respectively.
The authentication bypass occurs when the JWT verification script reads a secret key from /tmp/nginx_jwt_key. If this file is missing, the system defaults to using a hard-coded value of “notfound” as the secret, effectively creating a backdoor authentication mechanism.
This design flaw allows attackers to craft valid JWTs using the known secret and bypass security controls entirely.
The vulnerable endpoints include /aparchive/upload and /ap_spec_rec/upload/, which are configured in the nginx configuration file /usr/binos/conf/nginx-conf/https-only/ap-conf/ewlc_auth_jwt.conf.
These endpoints process file uploads with client body sizes up to 1536MB and 500MB, respectively, providing ample opportunity for malicious payload delivery.
Risk Factors Details Affected Products– Catalyst 9800-CL Wireless Controllers for Cloud- Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300/9400/9500 Series Switches- Catalyst 9800 Series Wireless Controllers- Embedded Wireless Controller on Catalyst APsImpactRemote code execution with root privilegesExploit Prerequisites1. Out-of-Band AP Image Download feature enabled
2. Attacker sends crafted HTTPS requests to /aparchive/upload or /ap_spec_rec/upload/ endpoints
3. Use of hard-coded JWT secret “notfound” for authentication bypassCVSS 3.1 Score10.0 (Critical)
Proof-of-Concept
The released PoC demonstrates how attackers can leverage path traversal techniques to place files in arbitrary locations on the target system.
Researchers successfully uploaded files using the filename parameter “../../usr/binos/openresty/nginx/html/foo.txt”, effectively bypassing directory restrictions through relative path manipulation.
To achieve remote code execution, attackers can exploit the internal process management service (pvp.sh) that monitors file changes using inotifywait.
The researchers demonstrated this technique by modifying service configuration files and successfully extracting the /etc/passwd file, confirming complete system compromise.
The exploit requires the JWTReqId header to be set to ‘cdb_token_request_id1’, which researchers discovered through reverse engineering of the shared library /usr/binos/lib64/libewlc_apmgr.so.
This level of technical detail in the public disclosure significantly lowers the barrier for potential attackers.
Mitigation
Cisco has released software updates addressing this vulnerability and strongly recommends immediate patching.
Organizations unable to patch immediately should disable the Out-of-Band AP Image Download feature, which forces AP image downloads to use the CAPWAP method instead.
This mitigation does not impact AP client operations but effectively eliminates the attack vector.
Security experts emphasize that while the vulnerable feature is disabled by default, many enterprise deployments may have enabled it for faster AP provisioning.
Organizations should immediately audit their Cisco wireless infrastructure to identify exposed systems and apply appropriate remediation measures before attackers can exploit this critical vulnerability in production environments.
#Cisco #Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
