Cisco Aironet Access Points Arbitrary File Overwrite Vulnerability

Vulnerability

A vulnerability in the implementation of a CLI command in Cisco Aironet Access Points (AP) could allow an authenticated, local attacker to overwrite files in the flash memory of the device. This issue is due to insufficient input validation for a specific command. Affected versions include Cisco Aironet APs running Cisco Wireless LAN Controller (WLC) software releases 8.5 prior to 8.5.171.0, 8.10 prior to 8.10.130.0, and Catalyst 9800 controller software releases 16.12 prior to 16.12.5. Releases 8.4 and earlier, 8.6–8.9, and 16.11 and earlier are also affected and require migration to a fixed release. Releases 17.3 and later are not vulnerable [1].

Exploitation

An attacker must have authenticated local access to the affected device. The attacker can exploit the vulnerability by issuing the vulnerable CLI command with crafted arguments. No additional user interaction or network access beyond local authentication is required. The exact command is not disclosed in the available references [1].

Impact

A successful exploit allows the attacker to overwrite or create files in the flash memory of the device using data that is already present in other files hosted on the same device. This could lead to file integrity compromise, potentially enabling denial of service or privilege escalation if critical system files are overwritten [1].

Mitigation

Cisco has released fixed software versions: for APs managed by WLC or Mobility Express, upgrade to 8.5.171.0 or 8.10.130.0; for APs managed by Catalyst 9800 or Embedded Wireless Controller, upgrade to 16.12.5. Releases 17.3 and later are not affected. No workarounds are available. Customers should consult the Cisco Security Advisory for the most current information [1].