First Published: October 19, 2025

Introduction

This is the third security update release for Cisco Prime Infrastructure 3.10.6.

You can install Cisco Prime Infrastructure 3.10.6 Security Update 03 on Cisco Prime Infrastructure 3.10.6 or Cisco Prime Infrastructure 3.10.6 System Patch or Cisco Prime Infrastructure 3.10.6 Security Update 01 or Cisco Prime Infrastructure 3.10.6 Security Update 01 System Patch or Cisco Prime Infrastructure 3.10.6 Security Update 02 or Cisco Prime Infrastructure 3.10.6 Security Update 02 System Patch. Cisco Prime Infrastructure PI_3_10_6_Security_Update_03-1.0.20.ubf is approximately 1.26 GB.

You must install the Cisco Prime Infrastructure 3.10.6 Security Update 03 mandatory System Patch (PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf- approximately 2.35 GB) after 3.10.6 security update 03 installation. This includes Oracle July 2025 critical patch update. To install the system patch, see Installing the system patch from local storage. The downloading time depends on the available network connection in the enterprise environment. Ensure that you have adequate bandwidth and are not running into high latency issues.


Note

  • If PDMT version 7 is already installed on your system, we recommend installing PDMT version 8 before applying the PI 3.10.6 Security Update 03.

  • If PDMT version 7 is not installed, you can directly install the PI 3.10.6 Security Update 03.

    .

System requirements

For more details on the system requirements, see Understand System Requirements section in the Cisco Prime Infrastructure 3.10 Quick Start Guide.

Installation guidelines

This sections explain how to install the prime infrastructure security update 03 release.

Before you begin installing the maintenance release

You can install Cisco Prime Infrastructure 3.10.6 Security Update 03 on Cisco Prime Infrastructure 3.10.6 or Cisco Prime Infrastructure 3.10.6 System Patch or Cisco Prime Infrastructure 3.10.6 Security Update 01 or Cisco Prime Infrastructure 3.10.6 Security Update 01 System Patch or Cisco Prime Infrastructure 3.10.6 Security Update 02 or Cisco Prime Infrastructure 3.10.6 Security Update 02 System Patch from Software Download page.

Since the update release is not removable, it is important to have a way to revert your system to the original version in case hardware or software problems cause the maintenance release installation to fail. To ensure you can do this, take a backup of your system before downloading and installing this UBF maintenance release.

Similarly, if you are running Prime Infrastructure 3.10.6 in a Virtual Machine (VM) and your organization permits taking VM snapshots, stop Prime Infrastructure and use the VMware client to take a VM snapshot before applying this update release. Store the snapshot in an external storage repository, and restore from the snapshot if the update release installation is unsuccessful. For more details, see Restore an Application Backup in the Cisco Prime Infrastructure 3.10 Administrator Guide.

To revert to Prime Infrastructure 3.10.6 security update 03 installation (with PI 3.10.x, PI 3.9.x, PI 3.8.x, or PI 3.7.x backup), follow these steps:

  1. Reinstall Prime Infrastructure 3.10 from an OVA or ISO distribution.

  2. Upgrade to Cisco Prime Infrastructure 3.10.2 using tar bundle and install PI 3.10.2 system patch once after upgrade is completed. For more information, see Cisco Prime Infrastructure 3.10.2 Release Notes.

  3. Install Cisco Prime Infrastructure 3.10.6.

  4. Install Cisco Prime Infrastructure 3.10.6 System Patch.

  5. Install Cisco Prime Infrastructure 3.10.6 Security Update 03.

  6. If you have a prior 3.10.x, 3.9.x, PI 3.8.x, PI 3.7.x backup - Restore this backup.

Installing the release from local storage


Caution
If you have a High Availability (HA) environment, remove the HA setup before proceeding to install this release. For more details, see Installing the maintenance release in high availability mode .

Make sure that you have completed the recommended preparation steps given in Before you begin installing the maintenance release.

To install Cisco Prime Infrastructure 3.10.6 security update 03 from the local storage, follow these steps:


Note
You can only install Cisco Prime Infrastructure 3.10.6 security update 03 by manual download from Cisco.com and upload and install through Cisco Prime Infrastructure UI.

Procedure

Step 1

Download the Prime Infrastructure PI_3_10_6_Security_Update_03-1.0.20.ubf from Home > Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Prime Infrastructure > Prime Infrastructure 3.10 > Prime Infrastructure Patches - 3.10.6 and save the file in your local system.

Step 2

Log in to Cisco Prime Infrastructure 3.10.6 or Cisco Prime Infrastructure 3.10.6 System Patch or Cisco Prime Infrastructure 3.10.6 Security Update 01 or Cisco Prime Infrastructure 3.10.6 Security Update 01 System Patch or Cisco Prime Infrastructure 3.10.6 Security Update 02 or Cisco Prime Infrastructure 3.10.6 Security Update 02 System Patch installed server.

Step 3

Choose Administration > Licenses and Software Updates > Software Update.

Step 4

Click Upload and browse to the location where you have saved the maintenance release file. Click OK to upload the file.

Step 5

In the Status of Updates pane, click the Files tab and check whether PI_3_10_6_Security_Update_03-1.0.20.ubf is listed under FileName column.

Step 6

In the Critical Fixes pane, click Install.

Note

 
Do not manually restart the server while the installation is in progress.

Step 7

Click Yes in the pop-up dialogue box to install Cisco Prime Infrastructure 3.10.6 security update 03. It may take approximately 45 minutes for the installation process to complete.

Step 8

You can verify the release installation from Prime Infrastructure Login under Critical Fixes by clicking View Installed Updates and also by logging into the server and choosing Administration > Software Update. You should see a listing for the release in the Updates tab, with Installed in the Status column.

Installing the maintenance release in high availability mode

Download PI_3_10_6_Security_Update_03-1.0.20.ubf from Home > Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Prime Infrastructure > Prime Infrastructure 3.10 > Prime Infrastructure Patches - 3.10.6 and save the file in your local system.

To install the downloaded PI_3_10_6_Security_Update_03-1.0.20.ubf in High Availability mode follow the below prerequisites:


Note
Prime Infrastructure 3.10.6 security update 03 can be applied only in primary and secondary standalone servers. The server will restart automatically once the installation is complete. The restart typically takes more than 45 minutes. You cannot apply Prime Infrastructure 3.10.6 security update 03 when HA is enabled.

  • If you are installing Cisco Prime Infrastructure 3.10.6 security update 03 on High Availability (HA) paired servers, you will get an error message.

For more details, see Remove HA Via the GUI in the Cisco Prime Infrastructure 3.10 Administrator Guide.

  • Continue the patching once HA removed completely. For more details, see the How to Patch New HA Servers section in the Cisco Prime Infrastructure 3.10 Administrator Guide .

Troubleshooting maintenance release installs in high availability implementations

If you are unable to apply this maintenance release in a High Availability (HA) implementation, check whether your network bandwidth, throughput and latency meets the network requirements recommended in Network Throughput Restrictions on HA section in the Cisco Prime Infrastructure 3.10 Administrator Guide. In a few cases, continued or intermittent throughput problems can cause a complete failure. If you believe this has occurred, contact Cisco TAC for support.

If you are unable to verify that this maintenance release has been successfully installed on a Prime Infrastructure server, or one or both of the servers fails to restart properly after installing the maintenance release, you may need to re-image the server as explained in Before you begin the maintenance release before continuing.

In all cases, you can use the backup-logs command on one or both servers to get information on the source of the failure. For more information, see the backup-logs section in the Cisco Prime Infrastructure 3.10 Command Reference Guide .

Installing the system patch from local storage

  • You can only install Cisco Prime Infrastructure PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf by manual download from Cisco.com and upload and install through Cisco Prime Infrastructure UI.

    Cisco Prime Infrastructure PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf can be applied only in primary and secondary standalone servers. The server will restart automatically once the installation is complete. The restart typically takes 1 hour.

To install Cisco Prime Infrastructure PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf from the local storage, follow these steps:

Procedure

Step 1

Download the Prime Infrastructure PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf Home > Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Prime Infrastructure > Prime Infrastructure 3.10 > Prime Infrastructure Patches - 3.10.6 and save the file in your local system.

Step 2

Log in to Prime Infrastructure 3.10.6 Security Update 03 server.

Step 3

Choose Administration > Licenses and Software Updates > Software Update.

Step 4

Click Upload and browse to the location where you have saved the system patch file. Click OK to upload the file.

Step 5

In the Status of Updates pane, click the Files tab and check whether PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf is listed under FileName column.

Step 6

In the Critical Fixes pane, click Install.

Step 7

Click Yes in the pop-up dialogue box to install Cisco Prime Infrastructure PI_3_10_6_Security_Update_03_SystemPatch-1.0.3.ubf. It may take approximately 1 hour for the installation process to complete.

Note

 
Do not manually restart the server while the installation is in progress.

Step 8

You can verify the release installation from Prime Infrastructure Login under Critical Fixes by clicking View Installed Updates and also by logging into the server and choosing Administration > Software Update. You should see a listing for the release in the Updates tab, with Installed in the Status column.

Important notes

  • A client count mismatch issue has been identified in Cisco Prime Infrastructure 3.10.6 Security Update 03 due to the wireless LAN controller (WLC) telemetry failing to transmit data correctly. Cisco IOS XE versions 17.18.1 and 17.18.2 are incompatible with Cisco Prime Infrastructure. Upgrading Cisco Catalyst 9800 Wireless Controllers to version 17.18.3 is advised to ensure compatibility with Cisco Prime Infrastructure.

  • Prime was migrated to Smart Receiver and as per their guidelines Direct and Transport Gateway mode is not supported. You must use Proxy to enable smart license using new url https://smartreceiver.cisco.com/licservice/license.

  • Cisco announced the End-of-Life and End-of-Sale for all versions of Prime Infrastructure. Please use the PDMT to migrate data to Cisco Catalyst Center or use Cisco Networking Bot for self-help migration. For more information reach out to the migration team at primetodnacmigration@external.cisco.com.

  • After installing Prime Infrastructure 3.10.6, you will be notified with the below warning message during ncs status, show version, ncs stop, ncs start, and restore console and this can be ignored as there is no functionality impact:

    SLF4J: Class path contains multiple SLF4J bindings.

    SLF4J: Found binding in [jar:file:/opt/CSCOlumos/lib/xmp-third-party/com.cisco.xmp.osgi.slf4j-log4j12-1.5.8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]

    SLF4J: Found binding in [jar:file:/opt/CSCOlumos/lib/xmp-third-party/log4j-slf4j-impl-2.20.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]

    SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.

  • By default, the Auto monitoring device health does not monitor Security and VPN Devices. Due to this, Security and VPN Devices such as ASA devices does not appear in the Wired Device Availability report. To include them in the report, you will need to create an additional Device Health policy in the Monitoring Polices and select the ASA device in the policy, and generate the report.

  • Cisco Prime Infrastructure supports only one unique registration interface for each GDOI group. If you need multiple registration interface support, please contact the Cisco Technical Assistance Center (TAC).

  • The EOL/EOS message always appears in the login page of Prime Infrastructure.

  • The EOL/EOS message appears in a pop-up notification window every time the user login to the Prime Infrastructure. However, after restart of the Prime Infrastructure services, the pop-up message will not be notified in the future.

  • When you restore to Cisco Prime Infrastructure 3.10.6 from earlier versions 3.7.x, 3.8.x, 3.9.x, 3.10.x backup, you will be notified with the following warnings in the restore console window:
    
Warning:
<verisigntsaca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<airespace-root> uses a 1536-bit RSA key which is considered a security risk. This key size will be disabled in a future update. 
<verisignclass1ca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisignclass1g2ca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisignclass2g2ca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisignclass3ca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisignclass3g2ca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisigntsaca> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
Warning:
<airespace-root> uses a 1536-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
    These warning messages are displayed due to the recent upgrade of JRE in Prime Infrastructure 3.10.2. For more information, see JDK-8172404.

Resolved bugs

List of bugs resolved in Prime Infrastructure Release 3.10.6 security update 03

Click the identifier to view the impact and workaround for the caveat. This information is displayed in the Bug Search Tool. You can track the status of the open caveats using the Bug Search Tool.

Table 1. Resolved bugs

Identifier

Description

CSCwk83958

 RHEL 7 : libndp (RHSA-2024:4622)

CSCwm08678

 RHEL 7 : krb5 (RHSA-2024:5076)

CSCwm27770

 RHEL 7 : kernel (RHSA-2024:5259)

CSCwm39724

 RHEL 7 : bind (RHSA-2024:5930) , linux-firmware (RHSA-2024:5978)

CSCwm70421

 RHEL 7 : kernel (RHSA-2024:6994)

CSCwm89212

 RHEL 7 : systemd (RHSA-2024:7705) , libcurl 7.32.0 < 8.9.1 DoS (CVE-2024-7264)

CSCwn20699

 RHEL 7 : krb5 (RHSA-2024:8788)

CSCwn43768

 RHEL 7 : tuned (RHSA-2024:10381)

CSCwn55034

 RHEL 7 : unbound (RHSA-2024:11003),RHEL 7 : squid (RHSA-2024:11049)

CSCwo07971

 RHEL 7 : kernel (RHSA-2025:1281)

CSCwo34882

 RHEL 7 : bind (RHSA-2025:1718) , RHEL 7 : gcc (RHSA-2025:1601) , RHEL 7 : krb5 (RHSA-2025:1352)

CSCwo40616

 RHEL 7 : emacs (RHSA-2025:2130)

CSCwo69551

 RHEL 7 : xorg-x11-server (RHSA-2025:2879) & libxml2 (RHSA-2025:2673) & kernel (RHSA-2025:2501)

CSCwo80583

 RHEL 7 : grub2 (RHSA-2025:3396) & RHEL 7 : freetype (RHSA-2025:3395) & RHEL 7 : libxslt (RHSA-2025:3612)

CSCwo80591

 Apache POI < 5.4.0 Improper Input Validation

CSCwo95368

 RHEL 7 : kernel (RHSA-2025:3880) & RHEL 7 : libxslt (RHSA-2025:4098)

CSCwp13403

 Apache ActiveMQ 5.16.x < 5.16.8 / 5.17.x < 5.17.7 / 5.18.x < 5.18.7 / 6.x < 6.1.6 DoS (CVE-2025-27533)

CSCwp38522

 OpenSSH < 9.9p1 Multiple vulnerabilities

CSCwp65180

 XSS (Cross-Site Scripting) vulnerability in PI 3.10.6 Security Update 01

CSCwq07943

 Apache Tomcat 9.0.0.M1 < 9.0.105

CSCwq30686

 Apache Tomcat 9.0.0.M1 < 9.0.107 multiple vulnerabilities

CSCwq47790

 Oracle Java SE Multiple Vulnerabilities (July 2025 CPU) & Oracle Database Server (July 2025 CPU)

CSCwq54950

 Apache 2.4.x < 2.4.64 Multiple Vulnerabilities & Apache 2.4.x < 2.4.65

CSCwq77412

OpenSSL 1.1.1 < 1.1.1zb Vulnerability

CSCwq94675

 Apache Tomcat 9.0.0.M1 < 9.0.108

CSCwq61594

Observing client count mismatch in Prime Infrastructure 3.10.6.

CSCwr00639

 RHEL 7 : mpfr (RHSA-2025:9332) , RHEL 7 : sqlite (RHSA-2025:12349),

CSCwr00649

 RHEL 7 : pam (RHSA-2025:10357), RHEL 7 : microcode_ctl (RHSA-2025:10108), RHEL 7 : sudo (RHSA-2025:10871)

CSCwr00657

 RHEL 7 : libxml2 (RHSA-2025:12240), libxml2 (RHSA-2025:13464), libxml2 (RHSA-2025:13789), libxml2 (RHSA-2025:13789)

CSCwr18084

 RHEL 7 : kernel (RHSA-2025:7898), RHEL 7 : glibc (RHSA-2025:10219),

CSCwr18100

 RHEL 7 : xorg-x11-server (RHSA-2025:10360), RHEL 7 : kernel (RHSA-2025:11358)

CSCwr18105

 RHEL 7 : squid (RHSA-2025:14414), RHEL 7 : gdk-pixbuf2 (RHSA-2025:14683) ,RHEL 7 : squid (RHSA-2024:11049)

CSCwr18108

 RHEL 7 : kernel (RHSA-2025:14748)

CSCwr44677

 Azul Zulu Java Multiple Vulnerabilities (2025-04-15)

CSCwq34376

 Missing Compatibility Information for Cisco Catalyst 9800-CL WLC (Version 17.12.5) and Prime Infrastructure (PI) 3.10.6

Submitting Feedback

Your feedback will help us improve the quality of our product. You must configure the email server and then enable data collection to configure the feedback tool. To send your feedback, follow these steps:

Procedure

Step 1

If you have configured your mail server, go to Step 4.

Step 2

Choose Administration > Settings > System Settings > Mail and Notification > Mail Server Configuration.

Step 3

In the Mail Server Configuration page, enter the mail server details, then click Save to save the configuration settings.

Step 4

Choose Administration > Settings > System Settings > General > Help Us Improve.

Step 5

In the Help Us Improve Cisco Products page, select Yes, collect data periodically, then click Save.

Step 6

Click the Settings icon, then select Feedback > I wish this page would.

Step 7

Enter your feedback, then click OK.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.