\nIn early May 2025, Cisco released software fixes to address a flaw in its IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability, tracked as CVE-2025-20188, has a CVSS score of 10.0 and could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system \u2013 but the real story is that this vulnerability drives home the persistent risks associated with hardcoded credentials, particularly JSON Web Tokens (JWTs), in network infrastructure components. <\/p>\n
In this blog post, we\u2019ll explore CVE-2025-20188, the concerning trend of hardcoded JWT secrets, and how Wallarm can help prevent these kinds of issues. <\/p>\n
## What is CVE-2025-20188?<\/p>\n
CVE-2025-20188 is a critical vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for WLCs. The core issue lies in a hardcoded JWT \u2013 a predictable, reusable authentication key – embedded within the software. Attackers could exploit this vulnerability by sending API requests using this hardcoded key to the AP image download interface.<\/p>\n
If successful, they could upload any files they want to the system, navigate to areas they shouldn\u2019t (a technique known as path traversal), and even execute commands with full administrator (root) privileges. However, it is important to note that the vulnerable Out-of-Band AP Image Download feature is disabled by default, meaning this is only a risk if someone has manually turned this feature on. <\/p>\n
## CVE-2025-20188’s Potential Impact<\/p>\n
As noted, CVE-2025-20188 is a maximum severity flaw with significant potential impacts. If an attacker were to exploit this vulnerability, they could:<\/p>\n
* Gain unauthorized access to sensitive information
* Disrupt network services
* Achieve complete system compromise with root-level access<\/p>\n
Given the severity and potential impact, organizations utilizing affected Cisco WLCs should address this vulnerability as a matter of urgency. <\/p>\n
## Products Affected by CVE-2025-20188<\/p>\n
If you\u2019re wondering whether you might be affected by this vulnerability, it is present in the following Cisco products when running vulnerable versions of IOS XE Software with the Out-of-Band AP Image Download feature enabled:<\/p>\n
* Catalyst 9800-CL Wireless Controllers for Cloud
* Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
* Catalyst 9800 Series Wireless Controllers
* Embedded Wireless Controller on Catalyst Access Points<\/p>\n
## Recommendations for Mitigating CVE-2025-20188<\/p>\n
Cisco has provided recommendations for organizations and individuals that might be affected by CVE-2025-20188:<\/p>\n
1. **Update Cisco Software:** Apply the latest patches provided by Cisco for IOS XE Software to eliminate the vulnerability. Regular updates are essential to address newly discovered security flaws.
2. **Verify Feature Configuration:** Ensure that the **Out-of-Band Access Point (AP) Image Download** feature is **disabled** unless explicitly required. This feature is not enabled by default, and turning it off reduces potential exposure.
3. **Harden Devices and Minimize Attack Surface:** Disable unnecessary services and features to limit the system\u2019s attack surface. Follow industry best practices, such as the **CIS Benchmarks for Cisco devices**, to secure device configurations and enforce consistent security policies.<\/p>\n
Taking these steps can not only protect against this specific vulnerability but also help prevent exploitation of similar flaws in the future.<\/p>\n
## The Prevalence of Hardcoded JWT Secrets<\/p>\n
However, as we mentioned earlier, the staggering prevalence of hardcoded JWT keys is the real story here. According to the Wallarm ThreatStats Report for Q1 2025, hardcoded secrets \u2013 alongside misconfiguration and unauthenticated API access \u2013 contributed to an overwhelming majority of API security breaches in Q1, particularly in AI and healthcare sectors. <\/p>\n
<\/p>\n
These flaws affect a diverse range of software – from web applications to industrial control systems and developer tools – making them a cross-cutting concern for software teams across all sectors. To put their prevalence into context, here\u2019s just a few of the CVEs from the past three years related to hardcoded JWT keys: <\/p>\n
**CVE ID**| **Product Name**| **Description**| **Product Type**
—|—|—|—
CVE-2025-26340| Q-Free MaxTime| Use of a hardcoded JWT key allows unauthenticated remote access via forged HTTP requests.| Traffic System
CVE-2023-5074| D-Link D-View 8| Hardcoded JWT key allows authentication bypass and restricted operations.| Network Software
CVE-2023-33371| Control iD iDSecure| JWT key hardcoded in source code, allowing forgery of session tokens.| Access Control
CVE-2023-33236| Moxa MXsecurity Series| Authentication bypass via embedded JWT key.| Security Device
CVE-2023-27172| Xpand IT Write-Back| Weak, hardcoded JWT secret could be brute-forced to impersonate users.| Web App
CVE-2022-36672| Novel-Plus| Config files contain hardcoded JWT key enabling unauthorized sessions.| Web App
CVE-2022-35540| AgileConfig| Admin access gained by generating JWTs with known secret.| DevOps Tool
CVE-2022-3214| Delta Electronics DIAEnergie| Unauthenticated access via a static JWT key.| Industrial
CVE-2021-40494| AdaptiveScale LXDUI| Admin-level access obtained through hardcoded secret in management UI.| Dev Tool
CVE-2020-4283| IBM Security Info Queue| JWT secret stored in plain text in configuration files.| Security Tool
CVE-2020-1764| Kiali| Default config includes hardcoded JWT key, leading to token forgery.| Dashboard Tool <\/p>\n
This list, while not exhaustive, underscores both the persistence and widespread nature of hardcoded JWT secrets across diverse technology stacks. The very fact that vulnerabilities of this nature continue to be so common highlights a concerning and consistent failure on the part of many organizations to implement secure development practices. Exploiting these weaknesses often requires very little effort on the part of attackers, yet can lead to severe consequences. So, how can organizations protect themselves from these kinds of vulnerabilities? With Wallarm.<\/p>\n
## How Wallarm Helps Prevent These Issues<\/p>\n
Leaked and hardcoded credentials are a growing threat. Fortunately, Wallarm\u2019s Advanced API Security Module provides targeted detection and monitoring capabilities to protect your organization. They include:<\/p>\n
* **API Leaks Detection****:** This feature enables security teams to identify exposed JWT secrets and other credentials across public repositories, Postman collections, and source code platforms.
* **JWT Secret Database:** Wallarm maintains a continually updated open-source dataset of over 100,000 known JWT signing keys, available publicly at GitHub \u2013 jwt-secrets. This database includes commonly used, compromised, or weak keys sourced from real-world code.<\/p>\n
What\u2019s more, the detection module is now automatically included in Wallarm’s Advanced API Security subscription, providing real-time visibility into credential leakage across the SDLC. <\/p>\n
As demonstrated by CVE-2025-20188 and numerous similar vulnerabilities, hardcoded JWT secrets represent one of the most severe and persistent risks in modern application security. These flaws enable attackers to bypass authentication, impersonate users, and compromise critical systems – often with minimal effort. Addressing this issue requires a combination of secure development practices, automatic scanning, and credential leak monitoring.Wallarm empowers security teams to meet this challenge head-on, offering comprehensive tools for identifying and mitigating credential exposures before they can be exploited. Want to find out more about how Wallarm can help protect your organization? Schedule a demo here.<\/p>\n
The post The Ongoing Risks of Hardcoded JWT Keys appeared first on Wallarm.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title The Ongoing Risks of Hardcoded JWT Keys Update ID WALLARMLAB:4D47E2905DBF6673005CB23F843849F4 Type wallarmlab Published 2025-05-12T13:37:09 Last Updated 2025-05-12T13:37:09 Security Impact…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,11,5,105],"class_list":["post-3977","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n
The Ongoing Risks of Hardcoded JWT Keys - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=3977\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Ongoing Risks of Hardcoded JWT Keys - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title The Ongoing Risks of Hardcoded JWT Keys Update ID WALLARMLAB:4D47E2905DBF6673005CB23F843849F4 Type wallarmlab Published 2025-05-12T13:37:09 Last Updated 2025-05-12T13:37:09 Security Impact...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=3977\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-12T09:34:07+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"The Ongoing Risks of Hardcoded JWT Keys\",\"datePublished\":\"2025-05-12T09:34:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977\"},\"wordCount\":1218,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3977#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977\",\"name\":\"The Ongoing Risks of Hardcoded JWT Keys - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-12T09:34:07+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3977\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3977#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Ongoing Risks of Hardcoded JWT Keys\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Ongoing Risks of Hardcoded JWT Keys - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=3977","og_locale":"en_US","og_type":"article","og_title":"The Ongoing Risks of Hardcoded JWT Keys - zero redgem","og_description":"Security Update News Update Information Title The Ongoing Risks of Hardcoded JWT Keys Update ID WALLARMLAB:4D47E2905DBF6673005CB23F843849F4 Type wallarmlab Published 2025-05-12T13:37:09 Last Updated 2025-05-12T13:37:09 Security Impact...","og_url":"https:\/\/zero.redgem.net\/?p=3977","og_site_name":"zero redgem","article_published_time":"2025-05-12T09:34:07+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=3977#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=3977"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"The Ongoing Risks of Hardcoded JWT Keys","datePublished":"2025-05-12T09:34:07+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=3977"},"wordCount":1218,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-10.0","exploit","news","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=3977#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=3977","url":"https:\/\/zero.redgem.net\/?p=3977","name":"The Ongoing Risks of Hardcoded JWT Keys - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-12T09:34:07+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=3977#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=3977"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=3977#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"The Ongoing Risks of Hardcoded JWT Keys"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3977"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3977\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}