JVN#71263107: Multiple vulnerabilities in Cisco Small Business Series Wireless Access Points

Cisco Small Business Series Wireless Access Points provided by Cisco Systems, Inc. contain multiple vulnerabilities listed below.

Improper access control (CWE-284) - CVE-2021-1400

Command injection (CWE-78) - CVE-2021-1401

Impact

The impacts may vary depending on the vulnerabilities, however, the followings are the possible impacts if an attacker who can access the affected device sends a specially crafted HTTP request to the administrative web interface of the device;

• Impersonate a user including an administrator - CVE-2021-1400
• An arbitrary command may be executed with the administrative privilege of the device - CVE-2021-1401

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.

Products Affected

• WAP125 Wireless-AC Dual Band Desktop Access Point with PoE 1.0.3.1 and earlier
• WAP131 Wireless-N Dual Radio Access Point with PoE 1.0.2.17 and earlier
• WAP150 Wireless-AC/N Dual Radio Access Point with PoE 1.1.2.4 and earlier
• WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch 1.0.2.17 and earlier
• WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE 1.1.2.4 and earlier
• WAP581 Wireless-AC Dual Radio Wave 2 Access Point with 2.5GbE LAN 1.0.3.1 and earlier
  The developer states that WAP131 Wireless-N Dual Radio Access Point with PoE and WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch are no longer supported (End-of-Life, EOL). For details, refer to the information provided by the developer.