CVE-2025-20293

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) (affected versions not specified)

Description A flaw exists in the Day One setup process that may allow a remote, unauthenticated attacker to access the public-key infrastructure (PKI) server running on an affected device. This is caused by incomplete cleanup after the Day One setup is finished. An attacker could exploit this by sending Simple Certificate Enrollment Protocol (SCEP) requests to the device. Successful exploitation could allow the attacker to request a certificate and use it to connect an attacker-controlled device to the wireless controller.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.