A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
The root cause of the vulnerability is the presence of a hardcoded JWT (JSON Web Token) token in Cisco IOS XE software. An attacker sends crafted HTTPS requests to the AP file upload interface, authenticating using this token without possessing any credentials of their own. Successful exploitation enables uploading arbitrary files to the vulnerable system and performing path traversal to place them in selected file system locations. As a result, it is possible to execute arbitrary commands with root privileges.
An attacker can gain full control of the device — upload malicious files, modify system configuration, and execute arbitrary commands with the highest privileges (root), resulting in complete violation of the device's confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references — detailed information about fixed versions is contained in the official Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC. As a temporary workaround, consider restricting access to the AP file upload interface at the network level.
Cisco IOS XE Software for Wireless LAN Controllers (WLC) — versions indicated in the vendor's references (Cisco advisory).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCisco IOS XE
OSCisco17.11.117.11.99sw17.12.117.12.217.12.317.13.117.14.1
Related vulnerabilities
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in...
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software coul...
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE S...
RCE w web services Cisco ASA, FTD, IOS, IOS XE, IOS XR przez HTTP
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisc...