Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability

Vulnerability

A logic error in the validation of CAPWAP protocol messages in Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers allows an unauthenticated, remote attacker to send a crafted CAPWAP packet that triggers arbitrary code execution or a denial-of-service (DoS) condition. The affected versions include releases of Cisco IOS XE Software prior to the fixed releases identified in [1]. The vulnerability is due to insufficient verification of packet fields during CAPWAP processing.

Exploitation

An attacker does not require authentication or prior access to the network; the capability to send a single, specially crafted CAPWAP packet to the affected device is sufficient [1]. No user interaction is needed. The attack vector is over the network targeting the CAPWAP service, which is used for wireless controller to access point communications.

Impact

Successful exploitation allows the attacker to execute arbitrary code with administrative privileges (root or equivalent) on the device, or cause the device to crash and reload, resulting in a denial-of-service condition [1]. This grants full control of the affected wireless controller, potentially compromising the entire wireless network.

Mitigation

Cisco has released free software updates that address this vulnerability; customers are advised to upgrade to a fixed release as listed in the Cisco Security Advisory [1]. There are no viable workarounds. The advisory provides specific version numbers for each affected platform and clarifies that the vulnerability is not exploitable if CAPWAP is disabled, though CAPWAP is required for normal operations.