Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family CAPWAP Denial of Service Vulnerability

Plan Patch8.6cisco-sa-wlc-dos-hnX5KGOmMar 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family allows an unauthenticated remote attacker to cause a denial of service by sending a malformed CAPWAP (Control and Provisioning of Wireless Access Points) packet. The affected device improperly handles the malformed packet, causing an unexpected reload and disconnection of all associated wireless access points. Affected versions include 17.14.1 through 17.18.1. Cisco has released software updates to address this vulnerability. No workarounds are available.

What this means

What could happen

An attacker can send a crafted network packet to a Catalyst CW9800 wireless controller that causes it to crash and reload, disconnecting all wireless access points and users from the network until the device recovers.

Who's at risk

Wireless network operators using Cisco Catalyst CW9800 wireless controllers should patch immediately. This affects all wireless access points and devices connected to the controller, as a crash of the controller disconnects the entire wireless infrastructure.

How it could be exploited

An attacker on the network (or the internet if the device is reachable remotely) sends a malformed CAPWAP packet to the wireless controller's network interface. The device fails to properly validate the packet structure, processes it incorrectly, and crashes, triggering an unplanned reboot.

Prerequisites

Network access to the CAPWAP port (typically UDP 5246) on the wireless controller
No authentication required

remotely exploitableno authentication requiredlow complexitycauses service outageaffects wireless infrastructure availability

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family CAPWAP17.14.1 through 17.18.1Fix available

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the CAPWAP port (UDP 5246) using firewall rules to only trusted wireless access points and management networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS XE Wireless Controller Software to version 17.18.2 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the wireless controller management traffic from untrusted network segments

CVEs (1)

CVE-2026-20086

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e67f0bf1-76e6-4cff-8de8-9a257aa0ac70

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.