Successfully exploiting flaws allows an attacker to upload files, perform path traversals and execute arbitrary commands using root privileges.
Non-WLC instances are not affected
According to the consultation, customers running an iOS XE software instance on the device cannot function properly because WLC is not fragile.
This defect only affects WLC instances, including the Catalyst 9800-CL wireless controller for the cloud, the Catalyst 9800 embedded wireless controller, the Catalyst 9300, 9400 and 9500 series switches, the Catalyst 9800 Servers Series Server wireless controller, and the wireless controller embedded on the Catalyst ap. Additionally, Cisco notes that for successful exploitation, the download feature of out-of-band mapping must be enabled on the device, which is not the default setting.
The above requirements remove some widely used Cisco products from the list of vulnerable products, including iOS software, iOS XR software, Meraki products, NX-OS software and WLC Aireos software.
