Cisco has released security updates to address a maximum severity security flaw affecting Ultra-Reliable Wireless Backhaul (URWB) access points that could allow unauthenticated remote attackers to execute elevated-privilege commands.
Tracked as CVE-2024-20418 (CVS score: 10.0), the vulnerability was described as resulting from a lack of input validation in the Cisco Unified Industrial Wireless Software web management interface.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to the web management interface of an affected system,” Cisco said in an advisory issued Wednesday.
“A successful exploit could allow an attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device.”
The vulnerability affects the following Cisco products in scenarios where URWB mode of operation is enabled –
- Catalyst IW9165D Heavy Duty Access Points
- Catalyst IW9165E Trusted Access Points and Wireless Clients
- Catalyst IW9167E Heavy Duty Access Points
The networking hardware manufacturer emphasized that CVE-2024-20418 does not affect products that do not run in URWB mode. It said the vulnerability was discovered during internal security testing.
This was addressed in Cisco Unified Industrial Wireless Software version 17.15.1. Users using versions 17.14 and earlier are advised to upgrade to the fixed release.
Cisco doesn’t mention that the flaw is being exploited in the wild. However, it is essential that users quickly apply the latest patches to protect against potential threats.