CVE-2025-20293
📋 TL;DR
A vulnerability in Cisco IOS XE Software for Catalyst 9800-CL wireless controllers allows unauthenticated remote attackers to access the PKI server after Day One setup. This enables attackers to request certificates and join malicious devices to the virtual wireless controller. Only Catalyst 9800-CL controllers with Day One setup completed are affected.
💻 Affected Systems
- Cisco Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains unauthorized access to wireless network infrastructure, joins rogue devices, intercepts traffic, or launches man-in-the-middle attacks against legitimate wireless clients.
Likely Case
Unauthorized device joins the wireless controller network, potentially enabling network reconnaissance, data interception, or lateral movement within the network.
If Mitigated
With proper network segmentation and access controls, impact is limited to the wireless controller management plane without compromising core network infrastructure.
🎯 Exploit Status
Exploitation requires sending SCEP requests to the vulnerable device. No authentication is required, making exploitation straightforward for attackers who can reach the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cisco IOS XE Software release 17.14.1a or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-9800cl-openscep-SB4xtxzP
Restart Required: No
Instructions:
1. Download the fixed software from Cisco Software Center. 2. Upgrade to Cisco IOS XE Software release 17.14.1a or later. 3. No reload or restart is required after installation.
🔧 Temporary Workarounds
Disable SCEP Server
allManually disable the SCEP server that remains active after Day One setup completion
configure terminal
no crypto pki server scep
end
write memory
🧯 If You Can't Patch
- Implement strict network access controls to limit SCEP traffic to trusted sources only
- Monitor for unauthorized certificate enrollment requests and unexpected device joins to the wireless controller
🔍 How to Verify
Check if Vulnerable:
Check if device is running Cisco IOS XE Software release 17.14.1 or earlier and has completed Day One setupCheck Version:
show version | include VersionVerify Fix Applied:
Verify the device is running Cisco IOS XE Software release 17.14.1a or later, or confirm the SCEP server is disabled📡 Detection & Monitoring
Log Indicators:
- Unexpected SCEP enrollment requests
- Unauthorized certificate issuance logs
- Unknown devices joining the wireless controller
Network Indicators:
- SCEP traffic from untrusted sources to the wireless controller
- Unexpected certificate enrollment protocol traffic
SIEM Query:
source_ip NOT IN trusted_networks AND dest_port=80 AND protocol=HTTP AND uri CONTAINS 'cgi-bin/pkiclient.exe'