CVE-2024-20287
Description
A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device. To exploit this vulnerability, the attacker must have valid administrative credentials for the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated command injection in Cisco WAP371 AP web interface allows root-level code execution; no fix available as product is end-of-life.
Vulnerability
A command injection vulnerability exists in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup. The issue stems from improper validation of user-supplied input. An authenticated, remote attacker can inject arbitrary commands by sending crafted HTTP requests to the management interface. All versions of the Cisco WAP371 are affected, as the product has entered the end-of-life process and no firmware updates will be released [1].
Exploitation
To exploit this vulnerability, an attacker must have valid administrative credentials for the device. With those credentials, the attacker sends specially crafted HTTP requests to the web-based management interface. The improper input validation allows the attacker to inject operating system commands into the request, which are then executed on the device [1].
Impact
Successful exploitation grants the attacker arbitrary command execution with root privileges on the affected access point. This gives the attacker full control over the device, including the ability to modify configuration, access sensitive data, or use the device as a pivot point for further network attacks [1].
Mitigation
Cisco has not released and will not release firmware updates to address this vulnerability because the Cisco WAP371 Wireless-AC/N AP with Single Point Setup has entered the end-of-life process. No workarounds are available. The only mitigation is to replace the affected device with a supported product [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.0.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper validation of user-supplied input in the web-based management interface allows command injection."
Attack vector
An authenticated attacker with valid administrative credentials sends crafted HTTP requests to the web-based management interface of the Cisco WAP371 AP [ref_id=1]. The vulnerability stems from improper validation of user-supplied input [ref_id=1]. A successful exploit allows the attacker to execute arbitrary commands with root privileges on the device [ref_id=1].
Affected code
The advisory does not specify particular functions, files, or code paths. The vulnerability exists in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point with Single Point Setup [ref_id=1].
What the fix does
Cisco has not released and will not release firmware updates to address this vulnerability because the Cisco WAP371 Wireless-AC/N AP with Single Point Setup has entered the end-of-life process [ref_id=1]. Customers are advised to migrate to the Cisco Business 240AC AP [ref_id=1]. No patch is available.
Preconditions
- authAttacker must have valid administrative credentials for the device.
- networkAttacker must be able to send HTTP requests to the web-based management interface of the affected device.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.