Cisco Wireless Access Point Software Device Analytics Action Frame Injection Vulnerability
TL;DR 📌
A medium-severity vulnerability has been identified in Cisco Wireless Access Point Software related to Device Analytics action frame processing. An unauthenticated adjacent attacker could exploit this vulnerability to inject arbitrary information into wireless 802.11 action frames. Cisco has released fixed software, but no workarounds are available.
What happened 🕵️♂️
A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point Software allows an unauthenticated, adjacent attacker to inject wireless 802.11 action frames with arbitrary information. This issue arises from insufficient verification checks of incoming 802.11 action frames. Successful exploitation could modify the Device Analytics data of valid wireless clients connected to the same wireless controller.
Affected products 🖥️
The following Cisco products are affected if they are running a vulnerable release of Cisco AP Software with Device Analytics enabled:
- 6300 Series Embedded Services APs
- Aironet 1540 Series APs
- Aironet 1560 Series APs
- Aironet 1800 Series APs
- Aironet 2800 Series APs
- Aironet 3800 Series APs
- Aironet 4800 APs
- Catalyst 9100 APs
- Catalyst IW6300 Heavy Duty Series APs
- Integrated APs on 1100 Integrated Services Routers (ISRs)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 17.11 and earlier | Migrate to a fixed release. | |
| 17.12 | 17.12.6 | |
| 17.13 | Migrate to a fixed release. | |
| 17.14 | Migrate to a fixed release. | |
| 17.15 | 17.15.4 | |
| 17.16 | Migrate to a fixed release. | |
| 17.17 | Migrate to a fixed release. | |
| 17.18 | Not vulnerable. | |
| 1.0 | Initial public release. | |
| Cisco Wireless LAN Controller | 17.12.6 | 17.11 and earlier |
| Cisco Wireless LAN Controller | 17.15.4 | 17.15 |
Workarounds 🧯
There are no workarounds available to mitigate this vulnerability.
Risk in context 🎯
The vulnerability has a CVSS score of 4.3, categorized as Medium severity. While exploitation requires an adjacent attacker, the potential to modify Device Analytics data poses a risk to network integrity and client data accuracy.
Fast facts ⚡
- Vulnerability ID: CVE-2025-20364
- CVSS Score: 4.3 (Medium)
- Attack Vector: Adjacent network access required
- Exploitation Impact: Potential modification of Device Analytics data
For leadership 🧭
This vulnerability presents a Medium risk to your network environment. It requires adjacent network access, meaning an attacker must be within the same local network to exploit it. There is no authentication required, which increases the risk of exploitation. Immediate remediation is advised: patch within 7 days using the fixed software releases provided by Cisco. Operational impact is expected to be minimal, with a brief maintenance window and no configuration drift anticipated.
Now / Next / Later:
- Now: Identify affected devices and plan for software upgrades.
- Next: Implement the fixed software releases as per Cisco’s guidance.
- Later: Review security policies to ensure ongoing monitoring and protection against similar vulnerabilities.