The Exploit

Notes from the Front Lines of Penetration Testing

Cisco Releases Patch for CVE-2025-20188 – 10.0 CVSS

Posted on

Categories: , , ,
Cisco Releases Patch for CVE-2025-20188 – 10.0 CVSS

Written by

Scottie Cole

A critical vulnerability in Cisco Catalyst 9800 wireless controllers could allow attackers to gain remote root access by exploiting a hard-coded JSON Web Token (JWT) in the Out-of-Band AP Image Download feature, which is disabled by default.

Administrators should verify if this feature is enabled and disable it as a temporary mitigation. Cisco has released patches to fully remediate the issue, and Raxis strongly recommends updating to the latest software version as soon as possible.

The Raxis team is reaching out to all Raxis Attack customers who may be affected.

View the Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC

Written by

Scottie Cole

Scottie has over 20 years working in IT. He has experience with systems administration, networking and wireless, and security. He currently holds certifications as a GIAC Penetration Tester (GPEN) and a Certified Information Security Professional (CISSP). In his spare time, he enjoys learning new technologies, being with family, fishing and going to the beach.

Scottie Cole
Scottie has over 20 years working in IT. He has experience with systems administration, networking and wireless, and security. He currently holds certifications as a GIAC Penetration Tester (GPEN) and a Certified Information Security Professional (CISSP). In his spare time, he enjoys learning new technologies, being with family, fishing and going to the beach.

Also by Scottie Cole
  • Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key for Penetration Testing
  • The CrowdStrike Outage: Lessons Learned
  • Cool Tools Series: Host Discovery in Penetration Testing
  • What to Expect with a Raxis Wireless Penetration Test

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Learn More

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Learn More

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Learn More

Read More From The Exploit

  • Lessons from the DaVita Healthcare Ransomware Attack

    Lessons from the DaVita Healthcare Ransomware Attack
    By Brian Tant • September 18, 2025
    Read More
  • HTTP/1.1 Security News: What You Can Do Now

    HTTP/1.1 Security News: What You Can Do Now
    By Jason Taylor • September 16, 2025
    Read More
  • Dev's Fast Reporting of Phish Reduced Impact on Blockchain Malware Attacks

    Dev’s Fast Reporting of Phish Reduced Impact on Blockchain Malware Attacks
    By Andrew Trexler • September 11, 2025
    Read More
  • Dangers of Storing Sensitive Data in Web Storage: 5 Real Attack Scenarios

    Dangers of Storing Sensitive Data in Web Storage: 5 Real Attack Scenarios
    By Ryan Chaplin • August 26, 2025
    Read More

Ready To See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.

Schedule a Demo