Cisco has issued a Excessive-severity safety advisory alerting clients to a important vulnerability within the Intermediate System-to-Intermediate System (IS-IS) characteristic of NX-OS Software program for Cisco Nexus 3000 and 9000 Collection switches.
Tracked as CVE-2025-20241 with a CVSS base rating of seven.4, the flaw might enable an unauthenticated, Layer 2-adjacent attacker to ship a malformed IS-IS packet that restarts the IS-IS course of, probably reloading the machine and inflicting a denial-of-service (DoS) situation.
Key Takeaways1. Cisco Nexus 3000/9000 IS-IS flaw permits adjoining DoS.2 No workaround; allow IS-IS space authentication.3. Apply Cisco’s free NX-OS replace.
Cisco Nexus 3000 and 9000 Vulnerabilities
The vulnerability stems from inadequate enter validation when parsing ingress IS-IS packets. An attacker should be on the identical broadcast area because the goal change and may exploit the flaw by transmitting a specifically crafted IS-IS L1 or L2 packet.
Upon receipt, the NX-OS IS-IS daemon might crash and subsequently reload the whole change, disrupting community routing and visitors forwarding. This situation impacts:
Cisco Nexus 3000 Collection Switches
Cisco Nexus 9000 Collection Switches in standalone NX-OS mode
Solely units with IS-IS enabled on not less than one interface are weak. Merchandise similar to Nexus 9000 in ACI mode, Firepower 1000/2100/4100/9300, MDS 9000, and UCS Material Interconnects are confirmed not weak.
The advisory notes that if IS-IS authentication is configured, the attacker should provide legitimate keys to take advantage of the problem.
To confirm IS-IS standing, directors can run the CLI command:
Presence of characteristic isis, router isis identify, and not less than one ip router isis identify entry confirms publicity. To view dwell IS-IS friends, use:
Danger FactorsDetailsAffected ProductsCisco Nexus 3000 Collection SwitchesCisco Nexus 9000 Collection Switches (standalone NX-OS)ImpactIS-IS course of restart inflicting machine reload (DoS)Exploit PrerequisitesLayer 2 adjacency; IS-IS enabled on interfaceCVSS 3.1 Score7.4 (Excessive)
No non permanent workarounds exist; nonetheless, enabling space authentication for IS-IS can mitigate danger by requiring attackers to authenticate earlier than sending malicious packets.
Cisco strongly recommends that clients completely consider this mitigation to make sure compatibility with their community necessities.
Cisco has launched free software program updates to deal with the vulnerability. Prospects with legitimate service contracts ought to obtain and set up the fastened releases from the Cisco Assist and Downloads portal.
For these with out service contracts, contacting the Cisco TAC with the advisory URL and product serial quantity will allow entitlement to the mandatory patches.
Bored with Filling Kinds for safety & Compliance questionnaires? Automate them in minutes with 1up! Begin Your Free Trial Now!
