CVE-2018-0247 [Medium] | Authentication Bypass in Wireless Lan Controller S…

A vulnerability in Web Authentication (WebAuth) clients for the Cisco Wireless LAN Controller (WLC) and Aironet Access Points running Cisco IOS Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic. The vulnerability is due to incorrect implementation of authentication for WebAuth clients in a specific configuration. An attacker could exploit this vulnerability by sending traffic to local network resources without having gone through authentication. A successful exploit could allow the attacker to bypass authentication and pass traffic. This affects Cisco Aironet Access Points running Cisco IOS Software and Cisco Wireless LAN Controller (WLC) releases prior to 8.5.110.0 for the following specific WLC configuration only: (1) The Access Point (AP) is configured in FlexConnect Mode with NAT. (2) The WLAN is configured for central switching, meaning the client is being assigned a unique IP address. (3) The AP is configured with a Split Tunnel access control list (ACL) for access to local network resources, meaning the AP is doing the NAT on the connection. (4) The client is using WebAuth. This vulnerability does not apply to .1x clients in the same configuration. Cisco Bug IDs: CSCvc79502, CSCvf71789.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.34%	0.95%	+0.61%
2	2026-02-28	0.48%	0.34%	-0.14%
3	2025-03-30	—	0.48%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.34%

0.95%

+0.61%

2026-02-28

0.48%

0.34%

-0.14%

2025-03-30

—

0.48%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.7	3.0	MEDIUM	`CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.8	1.4	[email protected]
3.3	2.0	LOW	`AV:A/AC:L/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:A) Requires access to an adjacent network segment. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	6.5	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.7

3.0

MEDIUM

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.8

1.4

[email protected]

3.3

2.0

LOW

AV:A/AC:L/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:A): Requires access to an adjacent network segment.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

6.5

2.9

[email protected]

Affected software / configurations for CVE-2018-0247

Vendor	Product	Version	Raw CPE
cisco	wireless_lan_controller_software	8.3\(104.105\)	cpe:2.3:o:cisco:wireless_lan_controller_software:8.3\(104.105\):::::::*
cisco	aironet_access_point_software	8.3\(104.105\)	cpe:2.3:o:cisco:aironet_access_point_software:8.3\(104.105\):::::::*
cisco	aironet_access_point_software	8.5\(107.52\)	cpe:2.3:o:cisco:aironet_access_point_software:8.5\(107.52\):::::::*

References for CVE-2018-0247

URL	Tags
http://www.securityfocus.com/bid/104087	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040814	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040815	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-aironet-auth	Vendor Advisory

URL

CVE-2018-0247

Exploit prediction scoring system (EPSS) score for CVE-2018-0247

Common vulnerability scoring system (CVSS) metrics for CVE-2018-0247

Weakness enumeration for CVE-2018-0247

Affected software / configurations for CVE-2018-0247

References for CVE-2018-0247