CVE-2022-20728
MEDIUMCisco Aironet and Catalyst Access Points - Unauthenticated VLAN Bypass via Native VLAN Packet Injection
Title source: llmDescription
A vulnerability in the client forwarding code of multiple Cisco Access Points (APs) could allow an unauthenticated, adjacent attacker to inject packets from the native VLAN to clients within nonnative VLANs on an affected device. This vulnerability is due to a logic error on the AP that forwards packets that are destined to a wireless client if they are received on the native VLAN. An attacker could exploit this vulnerability by obtaining access to the native VLAN and directing traffic directly to the client through their MAC/IP combination. A successful exploit could allow the attacker to bypass VLAN separation and potentially also bypass any Layer 3 protection mechanisms that are deployed.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY
Scores
CVSS v3
4.7
EPSS
0.0007
EPSS Percentile
21.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (26)
cisco/aironet_1542d_firmware
017.006\(001\)
cisco/aironet_1542i_firmware
017.006\(001\)
cisco/aironet_1562d_firmware
017.006\(001\)
cisco/aironet_1562e_firmware
017.006\(001\)
cisco/aironet_1562i_firmware
017.006\(001\)
cisco/aironet_1815i_firmware
017.006\(001\)
cisco/aironet_1815m_firmware
017.006\(001\)
cisco/aironet_1815t_firmware
017.006\(001\)
cisco/aironet_1815w_firmware
017.006\(001\)
cisco/aironet_1830_firmware
017.006\(001\)
... and 16 more
Published
Sep 30, 2022
Tracked Since
Feb 18, 2026