Cisco on Wednesday announced patches for 35 vulnerabilities, including 26 as part of its semiannual IOS and IOS XE security advisory bundle publication.
The IOS updates fix one critical-severity and 16 high-severity bugs. The critical issue, tracked as CVE-2025-20188 (CVSS score of 10/10), is described as an arbitrary file upload flaw in the Out-of-Band Access Point (AP) image download feature of IOS XE software.
A hard-coded JSON Web Token (JWT) allows attackers to upload files by sending crafted HTTP requests to the AP image download interface.
“A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges,” Cisco explains in its advisory.
While the security defect can be exploited remotely, without authentication, it only impacts Wireless LAN Controllers (WLCs) that have the Out-of-Band AP image download feature enabled. By default, it is disabled.
The most severe of the high-severity vulnerabilities in the semiannual security bundle could allow remote attackers to inject commands, cause a denial of service (DoS) condition, or elevate their privileges.
While the command injection (CVE-2025-20186) and privilege escalation (CVE-2025-20164) flaws require authentication, the DoS issues (CVE-2025-20154, CVE-2025-20182, and CVE-2025-20162) can be exploited by unauthenticated attackers.
The remaining high-severity defects patched in IOS and IOS XE software could lead, under certain conditions, to DoS, privilege escalation, or to the execution of persistent code at boot time.
The semiannual security bundle also addresses medium-severity IOS software flaws that could be exploited to mount a cross-site request forgery (CSRF) attack, perform SNMP operations from denied sources, bypass traffic filters, read configuration or operational data, write arbitrary files to the system, remove arbitrary users, or cause a DoS condition.
On Wednesday, Cisco also announced fixes for high-severity bugs in the management API of Catalyst Center and the CLI of Catalyst SD-WAN Manager that could allow attackers to modify the outgoing proxy configuration settings and escalate privileges, respectively.
Multiple medium-severity vulnerabilities were also addressed with the Catalyst Center and Catalyst SD-WAN Manager updates.
Additionally, the tech giant announced that no patches will be released for CVE-2025-20137, a medium-severity bypass in the access control list (ACL) programming of Catalyst 1000 and Catalyst 2960L switches, because the vulnerable configuration is not supported.
“This vulnerability is due to the use of both an IPv4 ACL and a dynamic ACL of IP Source Guard on the same interface, which is an unsupported configuration. An attacker could exploit this vulnerability by attempting to send traffic through an affected device,” Cisco says.
Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. However, it warns that proof-of-concept (PoC) code targeting two medium-severity issues (CVE-2025-20221, a traffic filter bypass in IOS XE SD-WAN; and CVE-2025-20147, an XSS flaw in Catalyst SD-WAN Manager) exists.
On Wednesday, Cisco also updated the list of products affected by the critical Erlang/OTP SSH security defect disclosed in mid-April, as well as the status of patches. Tracked as CVE-2025-32433 (CVSS score of 10) and exploitable without authentication, the flaw leads to remote code execution (RCE).
Users are advised to apply the available patches and workarounds as soon as possible. Additional information can be found on Cisco’s security advisories page.
Related: Cisco Patches 10 Vulnerabilities in IOS XR
Related: Vulnerabilities Patched in Atlassian, Cisco Products
Related: Vulnerabilities Expose Cisco Meraki and ECE Products to DoS Attacks
Related: Hackers Target Cisco Smart Licensing Utility Vulnerabilities