Cisco WLCs Under Fire: Max Severity Bug Demands Your Attention NOW!

Heads up, security pros! Cisco just dropped a bombshell: a maximum severity (CVSS 10.0!) vulnerability lurking in its IOS XE Software for Wireless LAN Controllers (WLCs). Tracked as CVE-2025-20188, this isn’t your average bug. We’re talking about a hard-coded JSON Web Token (JWT) that could let unauthenticated attackers waltz right in, upload whatever they want, and execute commands with root privileges. Yeah, it’s that bad.

The silver lining? This nasty flaw is only exploitable if a specific feature, “Out-of-Band Access Point (AP) Image Download,” is switched on. Good news: it’s off by default. Bad news: if you’ve enabled it, you’re on the hot seat. The main targets are the Cisco Catalyst 9800 series WLCs and their embedded controller cousins.

Cisco pushed out patches around May 7, 2025. As of early May, there were no screams from the wild about active exploits or public proof-of-concept (PoC) code. But don’t let that lull you into a false sense of security.

Your immediate action plan:

1. CHECK YOUR CONFIGS: Is “Out-of-Band AP Image Download” enabled on your Cisco WLCs?
2. DISABLE IF ACTIVE: If yes, and you can’t patch right now, turn that feature OFF.
3. PATCH, PATCH, PATCH: Get those official Cisco updates deployed ASAP.

This is a big deal, especially for sectors like higher education and healthcare that lean heavily on wireless and might have flipped that switch for operational ease. That CVSS 10.0 isn’t just for show, but the “off-by-default” nature is a saving grace—for now. Let’s dive into the nitty-gritty.

The Nitty-Gritty: CVE-2025-20188 Deconstructed

So, What’s the Actual Problem? (Hello, CWE-798)

At its heart, CVE-2025-20188 is a classic case of CWE-798: Use of Hard-coded Credentials. Cisco embedded a static JSON Web Token (JWT) right into the IOS XE software for their Wireless LAN Controllers. Think of it as leaving the master key under the doormat. An attacker who knows this token can craft some sneaky HTTPS requests to the AP image download interface and bypass all your carefully constructed authentication.

This isn’t a subtle flaw. It’s a direct path to pwnage. If exploited, an attacker gets the keys to the kingdom: uploading arbitrary files, dancing around directory restrictions (path traversal), and ultimately, running commands as root. That “Scope: Changed” in the CVSS score? It means the bad guys can break out of the vulnerable feature’s sandbox and take over the whole WLC operating system. Ouch. For a major player like Cisco, this kind of slip-up in a critical network device raises eyebrows about their secure development lifecycle for this particular feature.

Which Cisco Gear is Sweating?

This vulnerability is picky, but its targets are significant:

• Catalyst 9800-CL Wireless Controllers for Cloud
• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers (like the 9800-L, 9800-40, 9800-80)
• Embedded Wireless Controller on Catalyst APs

Remember, it’s not just about having these devices; it’s about running a vulnerable version of IOS XE and having that “Out-of-Band AP Image Download” feature enabled. Cisco’s Software Checker tool is your friend here to pinpoint if your specific version is in trouble and what fix you need. The bug is also known internally at Cisco as CSCwk33139.

Why the CVSS 10.0 “Critical” Panic Button?

A CVSS score of 10.0 is as bad as it gets. Here’s the breakdown of the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H):

• Attack Vector: Network (AV:N): They can hit you from anywhere on the internet.
• Attack Complexity: Low (AC:L): No PhD in hacking required.
• Privileges Required: None (PR:N): They don’t need a password or an account.
• User Interaction: None (UI:N): No need to trick a user into clicking anything.
• Scope: Changed (S:C): They get more than just the vulnerable part; they get the whole system.
• Confidentiality Impact: High (C:H): They can read all your secrets on the WLC.
• Integrity Impact: High (I:H): They can change anything they want on the WLC.
• Availability Impact: High (A:H): They can knock your WLC (and your wireless network) offline.

Table 1: CVE-2025-20188 – The Ugly Snapshot

How Far Reaching is This? Scope and Impact

Cisco’s Big Footprint: Why This Matters

Cisco isn’t a small fish; they’re a whale in the enterprise WLAN ocean, holding around 39.5% market share at the end of 2024. The Catalyst 9800 series? That’s their workhorse for everything from branch offices to massive enterprise campuses. While we don’t have exact sales numbers for the 9800s, Cisco’s market dominance means a lot of these devices are out there. And with the enterprise WLAN market itself growing, the potential pool of vulnerable (if misconfigured and unpatched) devices is only getting bigger.

That Pesky “Out-of-Band AP Image Download” Feature

So, what’s this “Out-of-Band AP Image Download” feature all about? It lets Access Points (APs) grab their software images and configs directly over HTTPS, instead of the usual CAPWAP protocol.

Why would anyone use it?

• APs playing hide-and-seek outside the WLC’s normal CAPWAP reach (think remote offices, DMZs).
• Speeding up firmware rollouts in big, automated deployments.
• Making image upgrades over slow WAN links less painful.

The critical takeaway here is that this feature is DISABLED BY DEFAULT. This is a huge mitigating factor. Your WLC is only vulnerable if an admin deliberately turned this on. You can check its status with a simple CLI command: show running-config | include ap upgrade. If you see ap upgrade method https, alarm bells should be ringing.

But here’s the catch: “disabled by default” can breed complacency. Admins might assume they’re safe without checking, especially in complex setups where configurations change hands or were set up for reasons now lost to time. So, verify, don’t assume! Ironically, the large, complex networks that might benefit most from this feature are also the ones at higher risk if it’s enabled.

Table 2: Affected Cisco Gear & The Danger Condition

The Attacker’s Playbook: Risk & Exploitation

How They’d Get In: Remote, No Auth Needed

For attackers, CVE-2025-20188 is a juicy target if the conditions are right. They can hit you remotely over the network with specially crafted HTTPS requests. No need for credentials (it’s unauthenticated), and no need to trick a user into doing anything (no user interaction). Physical access? Not required. The only major hurdle for them is that “Out-of-Band AP Image Download” feature being enabled on a vulnerable WLC.

What Happens if They Break In? Full System Compromise

A successful exploit isn’t just a peek inside; it’s a full-blown takeover. With root privileges on the WLC, an attacker can:

• Steal Your Data: Snatch sensitive info like network configs, credentials, or even user data.
• Move Around: Use the WLC as a launchpad to attack other parts of your network.
• Stay Awhile: Install backdoors or create rogue admin accounts for long-term access.
• Break Things: Disrupt your wireless network or mess with traffic (hello, man-in-the-middle).
• Join a Botnet: Turn your WLC into a zombie for DDoS attacks or other nefarious deeds.

Getting root on a WLC is like handing over the keys to your wireless kingdom. The potential for damage is massive.

Exploit Status: Quiet… For Now

As of early May 2025, when Cisco dropped the advisory, there were no public proof-of-concept (PoC) exploits for CVE-2025-20188. Cisco also said they hadn’t seen it being used in the wild.

But hold on. This bug was found by Cisco’s own internal security team (ASIG). That means they know it’s exploitable. With a CVSS 10.0 score and a direct path to RCE, you can bet that sophisticated attackers (yes, including state-sponsored ones) are already trying to cook up their own exploits. The quiet period after a critical vuln disclosure is often short. Don’t mistake “no public PoC” for “no risk.”

Attack Chains: From Breach to Broad Impact

Here’s how a typical attack might unfold:

1. Recon & Initial Access: Attackers scan for Cisco WLCs with the vulnerable feature enabled and running a known bad IOS XE version. Found one? They use the hard-coded JWT to bypass auth and upload a malicious file (think web shell or reverse shell payload) via a crafted HTTPS request.
2. Execution: They trigger their uploaded payload. This might involve path traversal to overwrite a legit system file or just running it directly if the upload spot allows. Boom – root command execution.
3. Privilege Escalation: Not needed! They land as root.
4. Lateral Movement: From their new throne on the WLC, they could:
   • Push bad firmware to connected APs.
   • Sniff or manipulate network traffic.
   • Attack other devices on your management or client networks.
5. Persistence: To stick around, they might:
   • Install rootkits.
   • Create hidden admin accounts.
   • Modify startup scripts.
6. Chaining Fun: While CVE-2025-20188 gives them the WLC, they could chain it with other vulns. Maybe use the WLC to scan for and pop client devices on the Wi-Fi, or attack internal services like RADIUS or domain controllers. History shows IOS XE itself is a popular target.

Mapping the Mayhem: MITRE ATT&CK®

Let’s frame this within the MITRE ATT&CK® framework to see how these baddies operate:

• Tactic: Initial Access (TA0001)
  • Technique T1190: Exploit Public-Facing Application: The WLC’s management interface, with that “Out-of-Band AP Image Download” feature enabled, is the public-facing app. The hard-coded JWT is the key to exploiting it.
• Tactic: Credential Access (TA0006)
  • Technique T1552: Unsecured Credentials:
    • Sub-technique T1552.006: Hardcoded Credentials: This is the bullseye. That embedded JWT is the hard-coded credential.
• Tactic: Execution (TA0002)
  • Technique T1059: Command and Scripting Interpreter: Specifically, T1059.004: Unix Shell. Root access means they’re running whatever they want on the underlying Linux-based IOS XE.
• Tactic: Privilege Escalation (TA0004)
  • Technique T1068: Exploitation for Privilege Escalation: Going from zero access to root in one shot? Classic exploitation for privilege escalation.

This mapping shows a terrifyingly efficient attack: exploit a hard-coded credential (T1552.006) for initial access (T1190), leading directly to execution (T1059.004) with god-mode privileges (T1068). Once they’re in, a whole world of other ATT&CK techniques opens up for persistence, lateral movement, and causing general chaos. A compromised WLC is a goldmine for attackers.

Table 3: MITRE ATT&CK® Techniques – CVE-2025-20188 Edition

Fighting Back: Mitigation and Fixes

Alright, enough doom and gloom. Here’s how you defend against CVE-2025-20188:

Stop the Bleeding: Check and Disable That Feature!

First things first: find out if you’re exposed. Run this on your WLC’s command line: show running-config | include ap upgrade

If it spits back ap upgrade method https, that feature is ON, and you’re in the danger zone if you’re on a vulnerable IOS XE version.

If you can’t patch immediately, Cisco’s top advice is to disable this feature: Enter global config mode and type: no ap upgrade method https

This forces AP image downloads back to the CAPWAP method. Cisco says this shouldn’t mess with AP client states, but always test in your own environment. This isn’t a true “fix” for the hard-coded JWT (that stays in the code until patched), but it yanks away the attack vector that uses it for AP image downloads.

Patch It Up: The Real Solution

Cisco has rolled out free software updates. This is the real fix.

1. Hit up the Cisco Software Checker (https://sec.cloudapps.cisco.com/security/center/softwarechecker.x) to find the right patched IOS XE version for your WLCs.
2. Grab the updates. If you have service contracts, use your usual channels. No contract but bought it legit? Contact Cisco TAC.
3. Follow standard IOS XE upgrade procedures. Make sure you have enough memory and your hardware/software configs are compatible with the new release.

Extra Armor: Harden Your WLCs

Don’t stop at patching. Beef up your WLC security overall:

• Lock Down Management Access: Seriously restrict network access to WLC management interfaces. Trusted admin networks or dedicated management subnets ONLY.
• Audit Your Configs Regularly: Make it a habit to check WLC settings, especially that “Out-of-Band AP Image Download” feature. Keep it off unless absolutely, positively necessary (and documented!).
• Least Privilege is Your Friend: Admin accounts for WLCs? Strong, unique passwords, MFA if you can, and only the permissions they absolutely need.
• Patch Everything, Always: Keep all your network gear, WLCs and APs included, up to date.
• Firewall Power: Put your WLCs behind firewalls that can inspect traffic to their management interfaces.

Cisco rightly says to test any workarounds in your own setup. Disabling the feature is the strong recommendation here, but if you need it, patch like your job depends on it (it might!).

Spotting the Enemy: Detection and Threat Hunting

If the worst happens, how do you spot it? You’ll need to dig into logs, watch network traffic, and maybe even do some proactive hunting.

Log Diving: WLC & Syslog Clues

Your WLC logs are your first line of forensic evidence. Cisco even has guides for this. Look for:

• Mysterious Config Changes: Any tweaks to ap upgrade method https you didn’t authorize?
• Weird Log Entries: Strange errors, access attempts, or odd system behavior.
• Fishy File Activity: Unexpected file uploads or changes, especially in system areas. The dir /recursive all-filesystems command output can be a goldmine if you have a baseline.
• Rogue Processes: New or unexpected apps running? show iox and show app-hosting list can help.
• Memory Tampering Signs: The show platform software process memory chassis active r0 name iosd smaps command showing non-zero “Private Dirty” for executable segments with write permissions (rwxp) could be a red flag for memory-resident malware.
• Failed Integrity Checks: Alerts from verify or show software authenticity commands.
• HTTPS Access Logs: Pay close attention to HTTPS requests to that AP image download interface. Look for weird source IPs, huge POST requests, or a flood of attempts.

Knowing what’s “normal” for your WLC is key. Without a baseline, good luck spotting the bad stuff.

Network Alarms: IDS/IPS and Traffic Spikes

While specific IDS/IPS signatures for CVE-2025-20188 weren’t public as of early May 2025, network monitoring can still help:

• Path Traversal Alerts: Generic IDS/IPS rules for path traversal (../, ..%2F) in HTTP/HTTPS requests to WLC management interfaces might catch something.
• JWT Spotting: If that hard-coded JWT ever leaks publicly, signatures could be made to detect it in HTTP headers.
• Strange Outbound Calls: WLCs suddenly phoning home to unknown C2 servers? Big red flag.
• Traffic Volume Oddities: Unusually large file uploads via HTTPS to the AP image download path? Investigate!

SIEM Magic: Querying for Trouble

Your SIEM can be a powerful ally:

• Spotting the Vulnerable Feature:
  • If WLC configs hit your SIEM: sourcetype=cisco_ios_xe_config event_text="ap upgrade method https"
• Anomalous HTTPS Access (Conceptual):
  • SELECT source_ip, COUNT(*) AS access_attempts FROM wlc_https_logs WHERE url_path LIKE '%/ap_image_download_interface_path%' AND http_method='POST' GROUP BY source_ip HAVING access_attempts > <threshold>
  • Alert on access from non-allowlisted IPs or unusually large POSTs.
• Suspicious File Uploads:
  • Monitor WLC file system or audit logs for file creation, especially executables in weird places.
• Unauthorized Commands:
  • If you log commands (e.g., via TACACS+): sourcetype=tacacs_accounting device_ip=<wlc_ip> command NOT IN (<legitimate_command_list>)
• Vulnerability Scanner Integration:
  • Pipe in results from scanners like Tenable (they track this as issue 192956). Alerts for unpatched WLCs with the feature ON should scream “priority!”

Automating some of Cisco’s forensic checklist items in your SIEM can shift you from reactive to proactive.

Table 4: Your Hit List – Mitigation & Detection Actions

Sector Spotlight: Higher Ed & Healthcare on High Alert

This vulnerability doesn’t hit everyone the same way. Higher education and healthcare, with their sprawling and critical wireless networks, need to be especially vigilant.

Higher Education: Open Networks, Big Risks

• The Danger Zone:
  • Huge, Open Networks: Campuses are Wi-Fi jungles for students, faculty, staff, guests.
  • BYOD Madness: So. Many. Personal. Devices. Expanding the internal attack surface if a WLC goes down.
  • Decentralized IT: Different departments, different rules? Inconsistent security is a risk.
  • Old Gear: Tight budgets can mean legacy systems that are tough to patch.
  • Operational Needs: Managing APs across vast campuses might have made that “Out-of-Band AP Image Download” feature look mighty tempting.
• The Fallout: A compromised WLC could mean:
  • Campus-wide network outages.
  • Stolen research data, student records (FERPA!), PII.
  • WLC becomes an attacker’s beachhead.
  • Major reputation hit.
• Your Game Plan:
  1. Central Audit: Check ALL Cisco WLCs (especially Catalyst 9800s) for vulnerable IOS XE and that feature’s status.
  2. Patch or Disable NOW.
  3. Segment, Segment, Segment: Isolate critical systems, research nets, and sensitive data from the general Wi-Fi chaos. WLC management interfaces need to be Fort Knox.
  4. Boost Monitoring: Focus on WLC logs for those IoCs.
  5. Train Your IT Staff: Make sure they know about this vuln and secure config management.
  6. Update IR Plans: What happens if a WLC does get popped?

Healthcare: Patient Safety on the Line

• The Danger Zone:
  • Prime Target: Healthcare is a goldmine for attackers after PHI.
  • IoMT Explosion: Wireless medical devices, EHR access, patient Wi-Fi – it’s all on the WLAN.
  • Legacy Medical Gear: Many medical devices are old and unpatchable, making the network they sit on even more critical.
  • Sprawling Networks: Hospitals, clinics, remote care – again, that feature might have been enabled for convenience.
  • HIPAA Hammer: Massive penalties for data breaches.
• The Fallout: A WLC compromise here is catastrophic:
  • PHI breaches leading to massive fines and patient privacy nightmares.
  • Disrupted clinical workflows, impacting patient care.
  • Tampered IoMT devices – misdiagnosis, wrong treatment, patient harm.
  • Ransomware shutting down the hospital.
  • Direct patient safety risks. This isn’t just data; it’s lives.
• Your Game Plan:
  1. URGENT Audit: Identify and remediate CVE-2025-20188 on all Cisco WLCs. Patch or disable immediately.
  2. Aggressive Segmentation: Isolate medical devices, clinical systems, admin functions, guest Wi-Fi. WLC management interfaces need extreme protection.
  3. Continuous Monitoring: Eyes on WLC behavior, weird traffic, unauthorized access. Robust logging and alerting are non-negotiable.
  4. Regular Pen Tests: Include checks for misconfigured network gear.
  5. BCDR Update: Plan for WLC compromise and its impact on clinical ops.
  6. Specialized Staff Training: Focus on healthcare-specific threats and IR, emphasizing patient safety.

Both higher ed and healthcare, with their large, distributed networks, are more likely to have enabled “Out-of-Band AP Image Download.” This makes proactive checks and fixes absolutely vital.

Table 5: Higher Ed & Healthcare – Tailored Risks & Recos

Urgency & The Real World: Patch Now, Don’t Wait

Threat Intel: No Exploits Seen… Yet

As of Cisco’s advisory (May 7/8, 2025), no active exploits for CVE-2025-20188 were reported in the wild. No public PoCs either. But don’t pop the champagne. A CVSS 10.0 for a hard-coded credential leading to RCE with root? That’s catnip for attackers, from state-sponsored crews to common cybercrooks. They will be scanning and trying to build exploits.

Remember CVE-2023-20198 and CVE-2023-2027 in Cisco IOS XE? Reports said China-linked hackers (“RedMike”) used them against U.S. telcos. Critical Cisco flaws get weaponized. CVE-2025-20188 is prime material. And again, Cisco’s own ASIG team found this, confirming it’s exploitable.

Why You Need to Patch YESTERDAY

Fast, widespread patching is the only way to shrink the attackers’ window of opportunity. Don’t wait for news of active exploitation – by then, you could be the news.

This whole mess is also a brutal reminder of basic security hygiene:

• Keep Software Updated. Period.
• Turn Off Stuff You Don’t Need. Less attack surface is good.
• Audit Configs Regularly. Don’t let settings drift into danger.
• Segment and Control Access. Especially for management interfaces.

How quickly orgs patch this will determine its real-world damage. Slow patching = extended playtime for attackers.

The Nitty Gritty: CVE Details

• Primary CVE: CVE-2025-20188
  • NVD Published: May 7, 2025
  • CVSS v3.1 Score: 10.0 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
• Cisco Bug ID: CSCwk33139

No high-profile incidents linked to this CVE as of early May 2025. Let’s keep it that way.

Your Action Plan: Key Takeaways for Security Teams

Alright, let’s boil this down to your immediate to-do list:

1. CHECK THE FEATURE, STAT! On all Cisco Catalyst 9800 series WLCs (and embedded ones), run show running-config | include ap upgrade. Is “Out-of-Band AP Image Download” ON?
2. DISABLE IF ACTIVE (AND PATCHING IS DELAYED): If it’s on (ap upgrade method https) and you can’t patch this second, turn it off: no ap upgrade method https (in global config mode). But weigh any operational impact carefully.
3. PATCH LIKE YOU MEAN IT: Get those official Cisco software updates deployed ASAP. Use the Cisco Software Checker for the right versions.
4. LEVEL UP MONITORING: Watch WLC logs (local, syslog, SIEM) like a hawk for weird HTTPS access to that download interface, strange file uploads, rogue commands, or other IoCs from Cisco’s forensic guide.
5. HARDEN YOUR NETWORK: Make sure WLC management interfaces are isolated and access is super restricted.
6. STAY IN THE KNOW: Subscribe to Cisco PSIRT advisories. Watch threat intel feeds for any news on CVE-2025-20188 exploits or campaigns.
7. EDUCATE YOUR TEAM: Make sure your network admins and SOC folks know this vulnerability, its risks, and what to do.

This isn’t a drill. A layered defense – immediate risk reduction, fast patching, and ongoing vigilance – is your best bet.

The Bottom Line: Don’t Get Caught Napping

CVE-2025-20188 is a monster of a vulnerability in widely used Cisco WLCs. A hard-coded JWT leading to unauthenticated remote root RCE? It doesn’t get much scarier.

The “disabled by default” nature of the vulnerable feature is a crucial mitigating factor, but it’s not a get-out-of-jail-free card. Verify, don’t assume. That Cisco’s own internal team found this is good, but it also shows that even major vendors can ship critical flaws. This means you need to be on your game with solid security practices: diligent config management, prompt patching, and constant monitoring.

Sophisticated attackers love flaws in ubiquitous network gear. Past IOS XE vulns prove it. Your response to CVE-2025-20188 needs to be swift and decisive. Check your systems, mitigate if needed, patch immediately, and sharpen your detection. Securing your network is a team sport between you and your vendors. Don’t let this critical threat catch you off guard.

---

References

• https://www.reddit.com/r/networking/comments/1kh476g/cve_10_cisco_ios_xe_wireless_controller/
• https://hide.me/en/blog/cisco-addresses-critical-vulnerability-in-ios-xe-wireless-controllers/
• http://www.scmagazine.com/news/cisco-patches-maximum-severity-vulnerability-in-ios-xe-software
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
• https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password
• https://cwe.mitre.org/data/definitions/798.html
• https://www.bleepingcomputer.com/news/security/cisco-fixes-max-severity-ios-xe-flaw-letting-attackers-hijack-devices/
• https://securityaffairs.com/177609/security/cisco-fixed-a-critical-flaw-in-its-ios-xe-wireless-controller.html
• https://bst.cisco.com/quickview/bug/CSCwk33139
• https://www.communicationstoday.co.in/global-wlan-market-sees-3-2-growth-in-4q24/
• https://www.idc.com/getdoc.jsp?containerId=prUS53261925
• https://ww2.mathworks.cn/help/bugfinder/ref/cwe798.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-20188
• https://www.scworld.com/news/cisco-patches-maximum-severity-vulnerability-in-ios-xe-software
• https://thehackernews.com/2025/05/cisco-patches-cve-2025-20188-100-cvss.html
• https://www.samuraj-cz.com/en/article/cisco-wlc-c9800-software-upgrade/
• https://community.cisco.com/t5/wireless/ap-ios-updates/td-p/4540504
• https://www.axonius.com/blog/cve-2025-20188
• https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/iosxe_wlc_forensic_guide.html
• https://www.snort.org/rule_docs/1-58276
• https://www.snort.org/rule_docs/1-63532
• https://pentesterlab.com/blog/jwt-vulnerabilities-attacks-guide
• https://www.tenable.com/plugins/pipeline/issues/192956
• https://www.secureitstore.com/C9800-L.asp
• https://documentation.meraki.com/MR/Cloud-Managed_Hybrid_Operating_Mode_for_Catalyst_Wireless_LAN_Controllers/Connecting_Catalyst_9800_Wireless_Controller_to_Dashboard
• https://ww2.mathworks.cn/help/bugfinder/ref/cwe798.html
• https://www.imperva.com/blog/threat-hunting-through-anomaly-detection-on-your-data-lake/
• https://nvd.nist.gov/vuln/detail/CVE-2025-20198
• https://nvd.nist.gov/vuln/detail/CVE-2025-20182
• https://www.youtube.com/watch?v=BvD7Z9BSSgY
• https://www.youtube.com/watch?v=DMOVvU_CCDc
• https://www.marketresearchfuture.com/reports/wireless-lan-controller-market-27781
• https://www.globenewswire.com/news-release/2025/04/14/3060677/0/en/Wi-Fi-Analytics-Market-Competitive-Landscape-Report-2025-with-Cisco-Systems-Skyfii-Purple-Wi-Fi-Fortinet-and-Zebra-Technologies.html
• https://s2.q4cdn.com/951347115/files/doc_financials/2024/ar/2024-Cisco-Full-Annual-Report.pdf
• https://blog.tbrc.info/2025/04/enterprise-wlan-market-report-3/
• https://www.offsec.com/blog/cve-2025-21298/
• https://security.pditechnologies.com/blog/mastering-mitre-enhancing-cybersecurity-with-device-log-mapping/
• https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-node-security/detected-jwt-token/
• https://docs.datadoghq.com/code_analysis/static_analysis_rules/javascript-node-security/detected-jwt-token/
• https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
• https://github.com/MuhammadWaseem29/CVE-2025-29927-POC
• https://www.exploit-db.com/exploits/52145
• https://nvd.nist.gov/vuln/detail/CVE-2025-20158
• https://nvd.nist.gov/vuln/detail/CVE-2025-20168
• https://live.paloaltonetworks.com/t5/general-topics/detecting-or-hunting-for-cve-2025-0108/td-p/1222493
• https://www.site24x7.com/newsletter/feb2024.html
• https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/933951/viewing-the-compromised-hosts-monitor
• https://poddtoppen.se/podcast/304863991/sans-internet-stormcenter-daily-cyber-security-podcast-stormcast/sans-stormcast-thursday-may-8th-modular-malware-sysaid-vuln-cisco-wireless-controller-patch-unifi-protect-camera-patch
• https://www.securityweek.com/cisco-patches-35-vulnerabilities-across-several-products/
• https://raxis.com/blog/cisco-releases-patch-for-cve-2025-20188-10-0-cvss/
• https://vectortechsolutions.com/wp-content/uploads/import/C9800-CL_datasheet.pdf
• https://rowelldionicio.com/cisco-catalyst-9800-cl-high-availability/
• https://community.cisco.com/t5/wireless/access-point-image-download/td-p/4891946

Told you it was deep.