A high-severity vulnerability has been found in Cisco’s Nexus Dashboard Material Controller (NDFC) that would permit unauthenticated attackers to impersonate managed community gadgets by way of compromised SSH connections.
The vulnerability, tracked as CVE-2025-20163, carries a CVSS base rating of 8.7 and impacts all variations of Cisco NDFC no matter machine configuration.
Safety researchers from REQON B.V. recognized the flaw, which stems from inadequate SSH host key validation mechanisms throughout the NDFC infrastructure.
Cisco NDFC SSH Vulnerability
The vulnerability exploits a basic weak point within the SSH implementation of Cisco NDFC, particularly associated to CWE-322 (key alternate with out entity authentication).
The affected system fails to correctly validate SSH host keys throughout connection institution, creating a chance for malicious actors to conduct machine-in-the-middle (MITM) assaults.
The technical classification CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:X/RL:X/RC:X signifies that whereas the assault complexity is excessive, it requires no consumer interplay and will be executed remotely with out prior authentication.
Cisco NDFC, beforehand referred to as Knowledge Heart Community Supervisor (DCNM) in releases 11.5 and earlier, serves as a centralized administration platform for knowledge heart community materials.
The vulnerability is catalogued beneath Cisco Bug ID CSCwm50501 and impacts the core SSH communication protocols that NDFC makes use of to handle community gadgets.
The flaw permits attackers to place themselves between the NDFC controller and managed gadgets, probably intercepting and manipulating community administration site visitors.
The exploitation of this vulnerability permits attackers to carry out subtle impersonation assaults in opposition to Cisco NDFC-managed gadgets.
By leveraging the inadequate SSH host key validation, risk actors can set up fraudulent SSH connections that seem reputable to each the NDFC controller and community directors.
This positioning permits attackers to seize delicate consumer credentials, intercept configuration modifications, and probably inject malicious instructions into the community administration workflow.
The machine-in-the-middle assault vector poses important dangers to enterprise community safety, as compromised credentials might result in broader community compromise.
Attackers efficiently exploiting this vulnerability might achieve unauthorized entry to essential community infrastructure elements, modify machine configurations, or set up persistent backdoors throughout the managed community atmosphere.
Threat FactorsDetailsAffected ProductsNDFC all variations previous to 12.2.3, together with releases beforehand branded as Cisco Knowledge Heart Community Supervisor (DCNM) 11.5 and earlier.ImpactEnables machine impersonation attacksExploit Conditions– Community entry to SSH communication channels between NDFC and managed devices- Functionality to carry out machine-in-the-middle (MITM) assaults on TCP port 22 site visitors.CVSS 3.1 Score8.7 (Excessive)
Mitigations
Cisco has launched complete software program updates to deal with this vulnerability, with no obtainable workarounds for affected methods.
Organizations working weak variations should migrate to Cisco Nexus Dashboard Launch 3.2(2f), which incorporates NDFC Launch 12.2.3 containing the required safety fixes.
The remediation introduces a brand new SSH host key verification function that continues to be disabled by default to take care of backward compatibility with current deployments.
For patrons utilizing Cisco Nexus Dashboard Launch 3.1, speedy migration to the fastened launch is required, as no patch is accessible for this model.
The repair implements enhanced SSH host key validation mechanisms that forestall unauthorized machine impersonation makes an attempt.
Community directors ought to seek the advice of the SSH Host Key Mismatch part of the Overview and Preliminary Setup of Cisco NDFC documentation for correct configuration steering.
Organizations ought to prioritize this replace given the excessive CVSS rating and potential for credential compromise. Cisco plans to allow the brand new SSH host key verification function by default in future releases, emphasizing the essential nature of this safety enhancement.
Pace up and enrich risk investigations with Menace Intelligence Lookup! -> 50 trial search requests
