Cisco Aironet Series Access Points Denial of Service Vulnerability
Description
A vulnerability in the internal packet processing of Cisco Aironet Series Access Points (APs) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected AP if the switch interface where the AP is connected has port security configured. The vulnerability exists because the AP forwards some malformed wireless client packets outside of the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel. An attacker could exploit this vulnerability by sending crafted wireless packets to an affected AP. A successful exploit could allow the attacker to trigger a security violation on the adjacent switch port, which could result in a DoS condition. Note: Though the Common Vulnerability Scoring System (CVSS) score corresponds to a High Security Impact Rating (SIR), this vulnerability is considered Medium because a workaround is available and exploitation requires a specific switch configuration. There are workarounds that address this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco Aironet APs forward malformed wireless packets outside CAPWAP tunnel, causing DoS on adjacent switch port with port security; workaround available.
Vulnerability
The vulnerability exists because the Cisco Aironet Series Access Points (APs) forward some malformed wireless client packets outside of the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel. This behavior can trigger a security violation on the adjacent switch port if that port has port security configured. Affected APs include various models; see advisory [1] for details. Note: Though the CVSS score is High, this issue is considered Medium because a workaround exists and exploitation requires a specific switch configuration.
Exploitation
An unauthenticated attacker within wireless range of an affected AP can send crafted wireless packets to the AP. The AP then forwards these packets outside the CAPWAP tunnel to the adjacent switch interface. If that switch port has port security enabled, the malformed packets may cause a security violation, leading to the port being disabled and resulting in a denial of service (DoS) condition on the AP and potentially affecting client connectivity through that port. No authentication or special access is needed; the attacker only needs to be adjacent.
Impact
A successful exploit can cause a denial of service on the affected AP and may also disrupt connectivity for clients relying on the adjacent switch port. The attacker gains no other access or information; the impact is limited to availability.
Mitigation
Workarounds are available. Configure port security on the switch interface where the AP is connected to block malicious packets. Alternatively, disable CAPWAP tunnel fragmentation on the AP. Cisco has not announced a permanent fix at this time; the vulnerability is considered Medium due to available workarounds.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 8.5(131.0)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-air-ap-dosmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/108000mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.