Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerability

Vulnerability

A denial of service vulnerability exists in the CAPWAP protocol processing of Cisco IOS XE Software for Cisco Catalyst 9800 Series Wireless Controllers [1]. The bug is due to insufficient input validation during CAPWAP packet handling, leading to a buffer over-read [1]. Affected versions include releases prior to the fixed software releases specified in Cisco Security Advisory cisco-sa-capwap-dos-ShFzXf, for the Catalyst 9800 Series (e.g., 9800-40, 9800-80, etc.) running certain IOS XE versions [1]. No special configuration is required for the vulnerable code path to be reachable.

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by sending a single crafted CAPWAP packet to the affected device over the network [1]. No authentication, user interaction, or prior access is needed. The attacker must be able to reach the CAPWAP service on the controller.

Impact

Successful exploitation causes the affected wireless controller to crash and reload, resulting in a denial of service condition [1]. All wireless client connectivity and management functions are disrupted until the device completes its reload cycle. The impact is limited to availability; there is no disclosure or modification of data.

Mitigation

Cisco has released free software updates to address this vulnerability [1]. The fixed releases are identified in the Cisco Security Advisory. Customers should upgrade to the appropriate patched version. There are no known workarounds that mitigate the vulnerability without upgrading. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.