Cisco warns of a serious security flaw in its software for wireless industrial applications. With a maximum CVSS score of ten, Cisco customers better not take it lightly.

Cisco has discovered a serious vulnerability in its web-based management interface Unified industrial wireless software for Highly reliable wireless backhaul (URWB) access points. This vulnerability allows attackers to remotely execute commands with root privileges. There is currently no workaround available.

Command injection via the management interface

The vulnerability is called CVE-2024-20418 and receives a CVSS score of 10, the maximum score that is not given too often. This is due to a lack of input validation in the web interface of certain Cisco access points running in URWB mode.

By sending specific HTTP requests, attackers can execute commands with root privileges on the affected device’s operating system. Access to root privileges allows an attacker to gain complete control of the device.

This vulnerability affects the Catalyst models IW9165D, IW9165E, and IW9167E when configured in URWB mode. Cisco access points that do not operate in URWB mode are not vulnerable to this attack. For a list of products that are and are not vulnerable, see the Cisco bulletin.

To determine whether the device is vulnerable, users can run the CLI command View mpls config carry out. If the command is available, it means that URWB mode is enabled and the device may be vulnerable.

Update available

Cisco has released security updates to address this vulnerability. Users of affected systems are advised to install available updates as soon as possible. We can only welcome this advice and further emphasize it.

There are no workarounds available: only the update offers a solution. For customers with a service contract, the updates are available through the usual channels, while other customers can obtain the updates through the Cisco Helpdesk. The network company also recommends keeping an eye on security information. This is sometimes necessary at Cisco.