How can we help?
A critical vulnerability (CVE-2022-20695), rated 10 on the CVSSv3 score, has been discovered in Cisco Wireless LAN Controller (WLC). The vulnerability could allow a remote attacker to log in to some devices without using a password. The bug depends on a non-default configuration and workarounds are available.
A remote attacker could bypass authentication controls and log in to the device management interface.
Cisco advises that users can check their configuration with the
show macfilter summary command. If RADIUS compatibility mode is shown as “Other”, the device is considered vulnerable:
wlc > show macfilter summary
MAC Filter RADIUS Compatibility mode............. Other MAC Filter Delimiter............................. Single-Hyphen MAC Filter Entries............................... 0
The following devices may be vulnerable if they are running Cisco WLC version 126.96.36.199 or 188.8.131.52 and have macfilter radius compatibility mode set to “Other”:
- 3504 Wireless Controller
- 5520 Wireless Controller
- 8540 Wireless Controller
- Mobility Express
- Virtual Wireless Controller (vWLC)
Containment, Mitigations & Remediations
A security update has been released but mitigations are available for where immediate patching is not practical.
Device owners who do not use macfilters can reset the macfilter radius compatibility mode:
wlc > config macfilter radius-compat cisco
Owners who use macfilters and are able to use other compatibility modes can modify the macfilter compatibility to either
wlc > config macfilter radius-compat cisco wlc > config macfilter radius-compat free
Indicators of Compromise
Cisco PSIRT are not aware of any malicious use of the exploit, however the simplicity of this exploit and the extent to which Cisco is used in enterprise environments means that this vector is likely to become a target by malicious attackers and Red Teams.
T1190 – Exploit Public-Facing Application