CVE-2025-20364

MEDIUM

Cisco Wireless AP Software - RCE

Title source: llm

Description

A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames with arbitrary information. This vulnerability is due to insufficient verification checks of incoming 802.11 action frames. An attacker could exploit this vulnerability by sending 802.11 Device Analytics action frames with arbitrary parameters. A successful exploit could allow the attacker to inject Device Analytics action frames with arbitrary information, which could modify the Device Analytics data of valid wireless clients that are connected to the same wireless controller.

References (1)

[Various Sources] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-action-frame-inj-QqCNcz8H

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-346

Status published

Products (50)

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.10.1

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.10.1e

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.11.1

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.11.1a

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.11.1b

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.11.1c

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.12.1

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.12.1s

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.12.1t

Cisco/Cisco Aironet Access Point Software (IOS XE Controller) 16.12.2s

... and 40 more

Published Sep 24, 2025

Tracked Since Feb 18, 2026