Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Patches Critical Vulnerabilities in IOS XE Software

Cisco this week announced the availability of patches for a series of critical vulnerabilities in IOS XE software that could be exploited to execute arbitrary code remotely, cause denial of service, or manipulate device configuration.

Cisco this week announced the availability of patches for a series of critical vulnerabilities in IOS XE software that could be exploited to execute arbitrary code remotely, cause denial of service, or manipulate device configuration.

The most severe of these issues is CVE-2021-34770 (CVSS score of 10), which could lead to remote code execution without authentication, with administrator privileges.

Residing in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of IOS XE software for Catalyst 9000 wireless controllers, the bug can also be exploited to cause a denial of service (DoS) condition.

According to Cisco, because the process of validating CAPWAP packets is flawed, an attacker could send a crafted packet to a vulnerable device to run arbitrary code or cause the device to crash and reload.

The security hole affects Catalyst 9300, 9400, and 9500 series switches, Catalyst 9800 and 9800-CL wireless controllers, and embedded wireless controllers on catalyst access points.

Cisco also addressed a buffer overflow in IOS XE SD-WAN, which could be exploited by an unauthenticated, remote attacker to execute arbitrary commands with root privileges or cause a denial of service condition.

Tracked as CVE-2021-34727 (CVSS score of 9.8), the vulnerability exists due to insufficient bounds checking during the processing of traffic. Affected products include 1000 and 4000 series integrated services routers (ISRs), 1000 series aggregation services routers (ASR), and cloud services router 1000V series.

The third critical vulnerability Cisco patched in IOS XE this week is CVE-2021-1619 (CVSS score of 9.8), which resides in the authentication, authorization, and accounting (AAA) function of the platform.

Due to an uninitialized variable, the bug allows for an unauthenticated, remote attacker to send NETCONF or RESTCONF requests to bypass authentication and manipulate the configuration of the device or cause denial of service.

Cisco has released patches for all three vulnerabilities and says that it is not aware of them being exploited in the wild.

The patches were released as part of Cisco’s September 2021 bundle of security advisories for IOS and IOS XE software, which consists of a total of 25 advisories describing 27 vulnerabilities in these platforms, including 13 high-severity and 11 medium-severity flaws.

Related: Cisco Patches Critical Enterprise NFVIS Vulnerability for Which PoC Exploit Is Available

Related: Cisco: Critical Flaw in Older SMB Routers Will Remain Unpatched

Related: Cisco Patches Serious Vulnerabilities in Data Center Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet