Meraki

Community

Unlogged Firmware Changes Pose Serious Compliance and Security Risks

StephenG_007
Here to help
Wednesday
Wednesday

Unlogged Firmware Changes Pose Serious Compliance and Security Risks

 

We've identified a critical issue in the Meraki dashboard: scheduled firmware upgrades and their manual cancellations are not logged in the organization changelog. This gap has serious implications:

  • Regulatory Compliance: Standards like PCI DSS, HIPAA, SOX, and GDPR require detailed audit trails. Missing logs can lead to non-compliance, fines, and loss of operational privileges.
  • Security Investigations: Without logs, it's nearly impossible to trace the root cause of incidents or detect malicious activity.
  • Legal and Financial Liability: In the event of a breach, organizations may face negligence lawsuits, shareholder actions, and insurance claim denials due to lack of evidence.

This is not just a feature gap—it's a severe bug that undermines trust, transparency, and accountability. I urge Meraki to prioritize this issue and provide a roadmap for resolution.

Has anyone else encountered this? Let's raise visibility and push for a fix.

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

But this is recorded on the firmware update page, right?

 

alemabrahao_0-1760551665599.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
StephenG_007
Here to help
Wednesday
Wednesday

When the firmware is scheduled by Cisco yes it shows there. However it is not in the organization logs that show it was scheduled by Cisco. If the Cisco scheduled firmware is cancelled by portal user this also does not enter in the logs.  If I, or other portal user schedules firmware and completes yes it recorded in the org logs. 

Here is scheduled upgrade done by portal user being recorded. 

StephenG_007_0-1760552581701.png

 






0 Kudos
In response to StephenG_007
RWelch
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

If security and regulatory compliance is paramount - perhaps managing firmware upgrades and updates should be a manual process vs waiting for the dashboard to force an update.

I guess I look at things a bit differently - Meraki's mindset is simplicity.  If your organization and network protocols are stringent, perhaps Meraki is not the most ideal fit.

After upgrading to MS18.1.3 all the event logs indicate is "DEVICE BOOT" and "reason: firmware upgrade"

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

I just tested this - and it DID appear in the Organisation change log.

 

PhilipDAth_0-1760553121258.png

 

StephenG_007
Here to help
Wednesday
Wednesday

Thanks everyone for the feedback and testing.

To clarify further:

  • The issue isn't with visibility on the firmware update page, but with the absence of entries in the organization changelog, which is critical for audit and compliance purposes.
  • Specifically, when Cisco schedules a firmware upgrade, and a portal user cancels it, this cancellation is not logged in the org changelog.
  • This creates a blind spot for compliance audits and forensic investigations.

@PhilipDAth  – appreciate your test. Could you confirm if your test involved a Cisco-scheduled upgrade that was cancelled by a portal user? That’s the specific scenario where we’re seeing the gap.

 

I agree with @RWelch  that Meraki’s simplicity is a strength, but for organizations under strict regulatory frameworks, transparent logging is non-negotiable.

I urge Meraki to:

  • Acknowledge this as a logging bug, not a feature request.
  • Provide a roadmap for resolution to restore trust and compliance integrity.

Let’s keep this thread active and visible to push for a fix.

0 Kudos
In response to StephenG_007
RWelch
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Give your feedback (previously Make a Wish) is the best way for your ideas/wishlist to get to their inbox.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to StephenG_007
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

My test was with a manually scheduled upgrade.  I can't simulate Cisco doing the upgrade.

 

I agree that a Cisco upgrade should be logged somewhere (even if in the event log).  I'm thinking it should be logged when the firmware upgrade is done, rather than just the scheduling of it - but at least - it should definately log it somewhere.

 

You will need to open a support case if you think this is a bug.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.