Cisco Wireless LAN controllers are threatened again after the critical exploit details are revealed

According to Horizon3 analysis, hard-coded JSON Web Token (JWT) is the source of exploitation. “It is crucial to eliminate hard-coded secrets from the authentication workflow, powerful file upload verification and path disinfection, and maintain continuous monitoring and patch management in all critical systems,” Barne added.

Diffusion allows positioning of hard-coded JWTs

The defect was tracked as CVE-2025-20188, and the defect disclosed in early May was found to be an issue affecting the external access point (AP) download capability of the WLCS Cisco iOS XE software. The AP image download interface uses hard-coded JWT for authentication, which can be used by an attacker to verify the request.

Horizon3 researchers dispersed file system content from ISO images to reach the LUA script, where significant changes were found. The script references the JWT token and associated key, indicating that they are involved in the vulnerability. The researchers then conducted a simple GREP search on the source code to determine how and where these LUA scripts are called.