https://www.bleepingcomputer.com/news/security/cisco-fixes-max-severity-ios-xe-flaw-letting-attackers-hijack-devices/

Cisco has fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices.

This token is meant to authenticate requests to a feature called 'Out-of-Band AP Image Download.' Since it's hard-coded, anyone can impersonate an authorized user without credentials.