According to the Horizon3 analysis, a hard-coded JSON Web Token (JWT) is at the root of the exploit. “It’s crucial to eliminate hard-coded secrets from authentication workflows, enforce robust file upload validation and path sanitization, and maintain continuous monitoring and patch management across all critical systems,” Barne added.
Diffing allowed locating hard-coded JWT
Tracked as CVE-2025-20188, the flaw disclosed earlier in May was revealed to be an issue affecting the Out-of-Band Access Point (AP) Download feature of Cisco IOS XE Software for WLCs. The AP image download interface uses a hard-coded JWT for authentication, which an attacker can use to authenticate requests without valid credentials.
Horizon3 researchers diffed file system contents from ISO images to arrive at the Lua scripts, where notable changes were found. The scripts referenced both JWT tokens and the associated key, indicating their involvement in the vulnerability. The researchers then performed a simple grep search across the source code to determine how and where these Lua scripts were invoked.
