Bug in Cisco IOS XE Firmware Fills Wi-Fi Access Point Flash Memory
In Cisco IOS XE firmware, a critical bug has been discovered that causes Wi-Fi access points to generate up to 5 MB of useless logs daily. The issue affects more than 230 equipment models and can lead to complete failure of software updates due to insufficient space in the built-in flash memory.
The Problem: Uncontrolled Growth of the cnssdaemon.log File
The error occurs in Cisco IOS XE versions 17.12.4, 17.12.5, 17.12.6, and 17.12.6a. In these builds, one of the system libraries mishandles the cnssdaemon.log file—a log associated with the radio module management daemon. Every day, its size increases by about 5 MB, regardless of the device's activity level or logging configuration.
A key feature of the incident is the inability to delete the file via CLI (command line). Even after running the delete flash:cnssdaemon.log command, the system either ignores the request or restores the file on the next reboot. This renders standard memory cleanup methods useless.
Impact on Equipment Operation
As the flash memory fills up, the device loses the ability to accept new firmware images or update packages. In the worst case, this leads to a boot loop, where the access point can't complete startup due to a lack of free space for temporary files.
Cisco emphasizes: the longer the device runs on the vulnerable version, the higher the risk of total failure without physical intervention. Standalone access points deployed in hard-to-reach locations (like industrial sites or distributed offices) are especially vulnerable.
Recommended Actions for Administrators
The vendor recommends the following steps:
- Check the software version on all Cisco access points using the command:
```
show version | include IOS XE
```
- Assess free space in flash memory:
```
dir flash:
```
- If less than 50 MB is free, immediately plan an update to the fixed version (17.12.7 or later).
- If memory is already full and updating is impossible, recovery via ROMMON will be required—the low-level boot mode that needs physical access to the device.
Comparison to Other Incidents in Networking Equipment Ecosystem
The issue resembles the 2025 ASUS router incident, where a vulnerability in AiCloud allowed authentication bypass. However, the current situation is fundamentally different: there's no external exploitation here, but a hidden degradation effect that shows up after weeks or months of operation.
Such "silent" bugs are especially dangerous because they don't cause immediate failures and often go unnoticed until the critical moment. They highlight the importance of regular storage monitoring even on stably running equipment.
Key Points
- The bug affects only specific Cisco IOS XE versions (17.12.4–17.12.6a).
- The cnssdaemon.log file cannot be deleted using standard CLI methods.
- When flash memory is full, software updates become impossible without ROMMON recovery.
- The risk is especially high for devices deployed without constant monitoring.
- The fix is available starting with version 17.12.7.
Administrators are advised not to delay updates and to implement automated flash memory usage monitoring as part of their infrastructure monitoring system.
— Editorial Team
No comments yet.