In early May 2025, Cisco released software fixes to address a flaw in its IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability, tracked as CVE-2025-20188, has a CVSS score of 10.0 and could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system – but the real story is that this vulnerability drives home the persistent risks associated with hardcoded credentials, particularly JSON Web Tokens (JWTs), in network infrastructure components.
In this blog post, we’ll explore CVE-2025-20188, the concerning trend of hardcoded JWT secrets, and how Wallarm can help prevent these kinds of issues.
What is CVE-2025-20188?
CVE-2025-20188 is a critical vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for WLCs. The core issue lies in a hardcoded JWT – a predictable, reusable authentication key – embedded within the software. Attackers could exploit this vulnerability by sending API requests using this hardcoded key to the AP image download interface.
If successful, they could upload any files they want to the system, navigate to areas they shouldn’t (a technique known as path traversal), and even execute commands with full administrator (root) privileges. However, it is important to note that the vulnerable Out-of-Band AP Image Download feature is disabled by default, meaning this is only a risk if someone has manually turned this feature on.
CVE-2025-20188’s Potential Impact
As noted, CVE-2025-20188 is a maximum severity flaw with significant potential impacts. If an attacker were to exploit this vulnerability, they could:
- Gain unauthorized access to sensitive information
- Disrupt network services
- Achieve complete system compromise with root-level access
Given the severity and potential impact, organizations utilizing affected Cisco WLCs should address this vulnerability as a matter of urgency.
Products Affected by CVE-2025-20188
If you’re wondering whether you might be affected by this vulnerability, it is present in the following Cisco products when running vulnerable versions of IOS XE Software with the Out-of-Band AP Image Download feature enabled:
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst Access Points
Recommendations for Mitigating CVE-2025-20188
Cisco has provided recommendations for organizations and individuals that might be affected by CVE-2025-20188:
- Update Cisco Software: Apply the latest patches provided by Cisco for IOS XE Software to eliminate the vulnerability. Regular updates are essential to address newly discovered security flaws.
- Verify Feature Configuration: Ensure that the Out-of-Band Access Point (AP) Image Download feature is disabled unless explicitly required. This feature is not enabled by default, and turning it off reduces potential exposure.
- Harden Devices and Minimize Attack Surface: Disable unnecessary services and features to limit the system’s attack surface. Follow industry best practices, such as the CIS Benchmarks for Cisco devices, to secure device configurations and enforce consistent security policies.
Taking these steps can not only protect against this specific vulnerability but also help prevent exploitation of similar flaws in the future.
The Prevalence of Hardcoded JWT Secrets
However, as we mentioned earlier, the staggering prevalence of hardcoded JWT keys is the real story here. According to the Wallarm ThreatStats Report for Q1 2025, hardcoded secrets – alongside misconfiguration and unauthenticated API access – contributed to an overwhelming majority of API security breaches in Q1, particularly in AI and healthcare sectors.
These flaws affect a diverse range of software – from web applications to industrial control systems and developer tools – making them a cross-cutting concern for software teams across all sectors. To put their prevalence into context, here’s just a few of the CVEs from the past three years related to hardcoded JWT keys:
| CVE ID | Product Name | Description | Product Type |
| CVE-2025-26340 | Q-Free MaxTime | Use of a hardcoded JWT key allows unauthenticated remote access via forged HTTP requests. | Traffic System |
| CVE-2023-5074 | D-Link D-View 8 | Hardcoded JWT key allows authentication bypass and restricted operations. | Network Software |
| CVE-2023-33371 | Control iD iDSecure | JWT key hardcoded in source code, allowing forgery of session tokens. | Access Control |
| CVE-2023-33236 | Moxa MXsecurity Series | Authentication bypass via embedded JWT key. | Security Device |
| CVE-2023-27172 | Xpand IT Write-Back | Weak, hardcoded JWT secret could be brute-forced to impersonate users. | Web App |
| CVE-2022-36672 | Novel-Plus | Config files contain hardcoded JWT key enabling unauthorized sessions. | Web App |
| CVE-2022-35540 | AgileConfig | Admin access gained by generating JWTs with known secret. | DevOps Tool |
| CVE-2022-3214 | Delta Electronics DIAEnergie | Unauthenticated access via a static JWT key. | Industrial |
| CVE-2021-40494 | AdaptiveScale LXDUI | Admin-level access obtained through hardcoded secret in management UI. | Dev Tool |
| CVE-2020-4283 | IBM Security Info Queue | JWT secret stored in plain text in configuration files. | Security Tool |
| CVE-2020-1764 | Kiali | Default config includes hardcoded JWT key, leading to token forgery. | Dashboard Tool |
This list, while not exhaustive, underscores both the persistence and widespread nature of hardcoded JWT secrets across diverse technology stacks. The very fact that vulnerabilities of this nature continue to be so common highlights a concerning and consistent failure on the part of many organizations to implement secure development practices. Exploiting these weaknesses often requires very little effort on the part of attackers, yet can lead to severe consequences. So, how can organizations protect themselves from these kinds of vulnerabilities? With Wallarm.
How Wallarm Helps Prevent These Issues
Leaked and hardcoded credentials are a growing threat. Fortunately, Wallarm’s Advanced API Security Module provides targeted detection and monitoring capabilities to protect your organization. They include:
- API Leaks Detection: This feature enables security teams to identify exposed JWT secrets and other credentials across public repositories, Postman collections, and source code platforms.
- JWT Secret Database: Wallarm maintains a continually updated open-source dataset of over 100,000 known JWT signing keys, available publicly at GitHub – jwt-secrets. This database includes commonly used, compromised, or weak keys sourced from real-world code.
What’s more, the detection module is now automatically included in Wallarm’s Advanced API Security subscription, providing real-time visibility into credential leakage across the SDLC.
As demonstrated by CVE-2025-20188 and numerous similar vulnerabilities, hardcoded JWT secrets represent one of the most severe and persistent risks in modern application security. These flaws enable attackers to bypass authentication, impersonate users, and compromise critical systems – often with minimal effort. Addressing this issue requires a combination of secure development practices, automatic scanning, and credential leak monitoring.Wallarm empowers security teams to meet this challenge head-on, offering comprehensive tools for identifying and mitigating credential exposures before they can be exploited. Want to find out more about how Wallarm can help protect your organization? Schedule a demo here.
The post The Ongoing Risks of Hardcoded JWT Keys appeared first on Wallarm.
*** This is a Security Bloggers Network syndicated blog from Wallarm authored by Sergei Okhotin. Read the original post at: https://lab.wallarm.com/cve-2025-20188-risks-hardcoded-jwt-keys/
