{"id":7860,"date":"2026-04-17T21:00:35","date_gmt":"2026-04-17T21:00:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7860"},"modified":"2026-04-17T21:00:35","modified_gmt":"2026-04-17T21:00:35","slug":"flawed-cisco-update-threatens-to-stop-aps-from-getting-further-patches","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7860","title":{"rendered":"Flawed Cisco update threatens to stop APs from getting further patches"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cisco admins are scrambling to patch a critical flash memory overflow vulnerability in over 200 Cisco Systems IOS XE-based models of wireless access points (APs), caused by a recent flawed software update.<\/p>\n

If the issue is not corrected quickly, the AP\u2019s memory will become so flooded that new software updates will be blocked and the AP rendered insecure, or possibly even bricked.<\/p>\n

The problematic library update causes a specific log file in the flash memory of affected access points to grow by about 5MB a day. Over time, Cisco said in an advisory this week<\/a>, this could consume \u201ca big portion\u201d of the available memory space.<\/p>\n

\u201cThe longer an AP runs the affected software, the higher the probability that a software download will fail due to insufficient space,\u201d the advisory says.<\/p>\n

Analyst Rob Enderle<\/a> of the Enderle Group said that \u2018buggy logs\u2019 are a common trope in networking. But, he added, \u201cthis particular case is dangerous because it targets the physical limitations of flash memory on hardware that is notoriously difficult to access once it becomes bricked or enters a boot loop. In the world of networking, this is a\u00a0high-impact, medium-rarity\u00a0event.\u201d<\/p>\n

He explained, \u201cwhat makes this unique is the Catch-22 it creates. To fix the bug, you must upgrade the software. However, the bug itself prevents the device from having enough space to download the fix. If an admin waits too long, the device may require manual, physical intervention or become permanently stuck in a boot loop.\u201d<\/p>\n

Johannes Ullrich<\/a>, dean of research at the SANS Institute, called this particular problem uncommon, although he acknowledged flash memory space in IoT devices like access points is limited and may fill up from time to time.<\/p>\n

\u201cBut,\u201d he added, \u201cthere is a bigger issue: A competent [vendor] vulnerability management program must always include verification that the patch was indeed applied as expected. There are many reasons why a patch may not be applied correctly, and this is just one way a patch may fail to apply.\u201d<\/p>\n

Kellman Meghu<\/a>, CTO of incident response firm DeepCove Cybersecurity, said overflowing a fixed device\u2019s memory due to a bug \u201cwould have me rather annoyed with this vendor. This is very rare in my experience, and something that was an issue way back when storage costs were a factor. I would expect my vendor to be able to clean and manage storage for fixed devices. If this device is supported, this would be an RMA [return merchandise authorization] or fix issue, and expectation [for vendor action] would be right away\/proactive.\u201d<\/p>\n

[Related content:<\/strong> Cisco Webex SSO flaw<\/a>]<\/strong><\/p>\n

Affected are access points running IOS XE versions 17.12.4, 17.12.5, 17.12.6, and 17.12.6a. These include Cisco Catalyst 9130AX series APs, as well as 9130AX models with a Stadium Antenna, Catalyst 91361, 91621, 9163E, 91641, 9166D1, and IW9167 series APs, and Wi-Fi 6 Outdoor APs,<\/p>\n

There are two ways for admins to solve the problem: Download a Cisco tool called WLANPoller<\/a>, which automates execution of a fix across multiple APs, or manually use the show boot<\/strong> command on each device to look into the boot partition and see if it has enough space for an upgrade. Greater detail on the necessary action is in the Cisco advisory.<\/p>\n

Cisco says a mandatory precheck of an AP\u2019s status should be run as close to the scheduled maintenance window as possible. But because the affected log file grows daily, Enderle said, \u201cyou sure don\u2019t want to wait until [AP] failure.\u201d\u00a0<\/p>\n

Manual fixing will probably take 5-10 minutes of active work per AP, he cautioned, plus another 15-20 minutes soak time to make sure the fix takes if the AP does have room for the upgrade. But if the AP has space problems, the time per device could jump to around 20-45 minutes.<\/p>\n

And if the AP has failed, then it would take one to two hours to fix, he added, and would need physical access to the device.<\/p>\n

Using WLANPoller will make the process faster, he added.<\/p>\n

Enderle said that if an admin finds an AP whose flash memory is already too full to upgrade, a\u00a0reboot\u00a0sometimes clears temporary buffers or allows a small window for a manual transfer. However, with this specific log bug, a reboot may not be enough if the file is persistent. Admins should contact Cisco for the emergency cleanup script before attempting a mass push, he said.<\/p>\n

Ultimately, Enderle said, the pushing of a flawed update is a supply chain integrity issue. CSOs should ask their teams, \u2018Do we have monitoring in place for hardware health metrics (CPU, RAM, Flash), or only for \u2018Up\/Down\u2019 status?\u2019\u00a0An AP that is Up but has 0MB of free flash memory is a liability, he said.<\/p>\n

CSOs should look at this vulnerability as a\u00a0Critical Availability Risk, he added. \u201cWhile it isn\u2019t a data breach, the potential for a site-wide Wi-Fi outage (due to failed automated updates or boot loops) can halt business operations,\u201d he noted, adding that CSOs should also enforce a policy where even \u201cminor library updates\u201d are still tested in a lab environment for seven to 14 days. \u201cThis 5MB\/day log growth would likely have been caught in a lab before hitting a production fleet of 5,000 APs,\u201d Enderle said.<\/p>\n

This article originally appeared on NetworkWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cisco admins are scrambling to patch a critical flash memory overflow vulnerability in over 200 Cisco Systems IOS XE-based models of wireless access points (APs), caused by a recent flawed software update. If the issue is not corrected quickly, the AP\u2019s memory will become so flooded that new software updates will be blocked and the […]<\/p>\n","protected":false},"author":0,"featured_media":7861,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7860","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7860"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7860"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7860\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7861"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}