Legally obtain Cisco IOS updates for free

Lets say you have a Cisco router that’s running an out of date IOS version and want to get a more recent image. It’s safe to say you’ll want to avoid resorting to piracy, Perhaps you don’t want to spend the money on a SMARTnet subscription. There’s a way to legally obtain an updated version that many people over look, security updates.

As it stands, CISCO’s security vulnerability policy states that (emphasis mine):

As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free of charge software updates to address security problems. If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the Contact Summary section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the update.

Great! So we can probably get free updates if they fix a security issue, so what next? Head over to a handy on-line Cisco tool to identify what vulnerabilities are present in the version of IOS you’re running. Paste in the output of the “show ver” command and you’ll be presented with a list of vulnerabilities affecting your device.

Providing sh ver output to software checker

With that information, send TAC Support an e-mail including the output of the “show ver” command and the list of vulnerabilities and you will be sent a one-off link to obtain the latest IOS image for your device, free of charge.

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

19 thoughts on “Legally obtain Cisco IOS updates for free”

  1. After 2 years of this post, i can say it still works.
    After sending few emails with the TAC i just got from them the lastest firmware for my cisco router.
    Just a mention for anybody that is trying to obtain free firmware from TAC. After 2-3 emails, they said i cannot ever obtain a free firmware from them, but i just copy-pasted the following lines from any cisco security advisory, from the Obtaining Fixed Software section:
    “Customers Without Service Contracts

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.”

  2. I needed ap3g2-k9w7-tar.153-3.JC.tar and followed the above instructions on February 3, 2016. It worked for me as TAC has responded with an account login…

    Thank you!

  3. Tried this on 02/03/17 and can confirm this DOES work. I too sent an email to with my AP model, serial number, a screenshot of my current firmware version, the snippet from the security advisory mentioned above, and a link to the vulnerability page provided from the Cisco Software Checker.

    I was connected to a rep and had my firmware within a few hours. Maybe I was lucky, but I appreciated how fast they contacted me.

  4. Thank you so much for that posting. Just used it to get updates for a 17oo series AP…

    Had to register and write three email’s, the last one I had to remind them about their “security vulnerability policy” but after that I got a call only half an our after the call. The Agent asked once more for the vulnerability’s and the serial’s and forwarded it to an engineer to send me the link…

    I’m surprised and happy

  5. Many thanks for this; I can also say that as of 17th May 2017, this still works. I sent an email to TAC with the information as above; was contacted by an engineer and advised of which software build I should get.
    I responded to the engineer, pointing out Cisco’s policy and requesting a free update…

    ….and I have now just loaded IOS 15.4(3)M7 to my 887VAGW following downloading it from the link supplied.

  6. As of March 2018, this still works. Cisco creates a TAC case and one gets an engineer assigned. They publish the IOS to your cisco account for 3 days to download. Thank you guys very much!! Saved me $$ and lots of trouble!!

  7. March 2018, still works ! I did the same process for my ASA that was running in 8.6. Cisco support gave me the 9.1 version. Thanks for the tips 😉

  8. I’m currently struggling with this. I emailed them 6 days ago and again 2 days ago. Included all the required information but didn’t get any response, not even an automated one.

    (This is about an AP I just bought which shipped with outdated firmware affected by the infamous KRACK vulnerabilities. I honestly didn’t know you need a service contract just to download firmware updates without having to beg for them. I mean it’s not a $$$$$ router, just an access point for 200 bucks… Seriously, Cisco?)

  9. Still working!

    I have two separate devices I came into possession of recently, since I’m currently studying for my CCNA. I had two separate tickets in to TAC engineers (for a Cisco 2800 router and a 3560 8-port switch). My first email this morning was sent late last night after midnight. They got back to me a few hours later and the back and forth emails started at about 9:30 when I woke up this morning. Just now, at about 4PM I downloaded both IOS images for both devices after they sent me a special link to download them.

    Now I gotta learn how to update both devices

    Thanks for this information!

  10. I have several cisco kit with serious outdated SW on them.
    From Nexus, ASA’s, Catalyst switches, etc.
    It was quite time consuming trying to get the free upgrades from Cisco, however, in order to save time to others that find this blog and seek the same solution to their problem here’s what you need to provide to them to get a successful TAC opened.

    email with the following information:
    Device: Cisco Catalyst WS-C4948E-F
    Serial: XXXXXX (you can find this under the show version command, and that’s why they usually ask for the show version output).
    Software running version: 15.0(2)SG
    filename: cat4500e-entservicesk9-mz.150-2.SG.bin
    CVE(s): CVE-2017-5638, CVE-2015-0721, CVE-2015-0235

    The above is just an example, but your real challenge will be to prove to them that your device is affected by this CVE’s and it’s eligible for a FREE upgrade.
    About CVE’s, you can search them here

    When you point out a CVE to Cisco support, you’ll have to use only CVE’s that specify on their report that they are FREE.
    If you don’t do this, they will come back to you and say the CVE you’re providing them is not valid for a free upgrade.
    The way you can do this is:
    1- search for your device (or device series) on the above mentioned link (I’ll use the same device described above for this example)
    2- if you get a lot of results, filter by severity 1, it will narrow down the most critical ones.
    3- click on one of them to go into the CVE’s specific page
    4- control + F your browser to search for the word “free”
    5- find where it says: “Cisco has released free software updates that address the vulnerability described in this advisory. ”
    bam! you found a CVE that will give your request validation through the support line.
    note: if you can’t find anything in that CVE’s page saying “free”, it’s because that CVE isn’t valid to request a free upgrade from Cisco.

    Also, as said before, you will need to remind them that according to their Security Vulnerability Policy (, under “Security Software Updates” section there’s this paragraph that states:
    “As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Cisco Security Advisories. ”

    Hope this post saves people’s time in dealing with these issues.

  11. I need automous files for access point LAP1141 : c1140-k9w7-tar.default to recycle an old but efficient hardware

    Somebody can help me?

  12. I need wireless controller software for Air 3602i and Air 3702i please. It is complex to get a hold of the software through Cisco and its Cisco partners/sellers.

    Thank you so much.

  13. Thank you very much for your advice! TAC was able to provide me with the latest security-patched version image file for my device. They had great customer service, it took less than an hour from sending my first email to flashing my AP.

Leave a Reply to Anoop Pattat Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.