Home > Security Bulletins > Cisco Wireless LAN Controller Management Critical Vulnerability

Cisco Wireless LAN Controller Management Critical Vulnerability


Cisco have published a security advisory about an Authentication Bypass vulnerability in Cisco Wireless LAN Controller (WLC) software (CVE-2022-20695). The vulnerability has a CVSS 3.1 score of 10 (Critical).

This vulnerability could allow an unauthenticated remote attacker to bypass authentication controls and login to the device via the management interface using crafted credential input.

Cisco notes in their advisory that the vulnerability exists when a non-default device configuration is present.

Cisco have patched the vulnerability in Wireless LAN Controller

Affected Products

This vulnerability affects the following Cisco products if they are running Cisco WLC Software Release or Release and have macfilter radius compatibility configured as Other:

3504 Wireless Controller
5520 Wireless Controller
8540 Wireless Controller
Mobility Express
Virtual Wireless Controller (vWLC)

Unaffected Products

Cisco have confirmed that this vulnerability does not affect the following Cisco products:

Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Catalyst 9800 Wireless Controller for Cloud
Embedded Wireless Controller on Catalyst Access Points
Wireless LAN Controller (WLC) AireOS products not listed in the Vulnerable Products section

Cisco have confirmed that WLC 8.9 and earlier are not vulnerable and and earlier are not vulnerable.


Cisco have detailed mitigations to address the vulnerability.

Option 1: No Macfilters in the Environment

Customers who do not use macfilters can reset the macfilter radius compatibility mode to the default value using the following CLI command:

wlc > config macfilter radius-compat cisco
Option 2: Macfilters in the Environment

Customers who use macfilters and who are able to change the radius server configuration to match other possible compatibility modes can modify the macfilter compatibility to either cisco or free using one of the following CLI commands:

wlc > config macfilter radius-compat cisco
wlc > config macfilter radius-compat free