Cisco Business Wireless Access Points Social Login Guest User Authentication Bypass Vulnerability

Vulnerability

A logic error in the social login configuration option for guest users of Cisco Business Wireless Access Points (APs) allows an unauthenticated, adjacent attacker to bypass authentication. The vulnerability affects Cisco Business 140, 141, 142, 143, 145, and 240 APs and Mesh Extenders running software releases prior to 10.8.1.0, and Business 150 and 151 APs and Mesh Extenders running releases prior to 10.4.2.0 [1]. Specifically, releases 10.7.1 and earlier (for the 140-240 series) and 10.2.2 and earlier (for the 150-151 series) are affected.

Exploitation

An attacker can exploit this vulnerability by attempting to authenticate to an affected device over an adjacent network path. The attacker does not need any prior authentication or credentials. The exploit leverages the social login implementation error, where the authentication bypass occurs during the authentication attempt to the Guest Portal [1]. No user interaction is required.

Impact

A successful exploit allows the attacker to access the Guest Portal of the affected Cisco Business Wireless AP without any form of authentication. This bypass results in unauthorized access to the guest network, potentially enabling further network reconnaissance or attacks. The Guest Portal is intended to require authentication, so the vulnerability undermines the access control mechanism for guest users [1].

Mitigation

Cisco has released fixed software versions: 10.8.1.0 for Business 140-240 series APs and Mesh Extenders, and 10.4.2.0 for Business 150-151 series APs and Mesh Extenders. Users are advised to migrate to these fixed releases. For affected releases without a direct upgrade path, Cisco recommends migrating to a fixed release as indicated in the advisory [1]. No workarounds are documented. The vulnerability is not listed in CISA's KEV as of publication [1].