CVE-2025-20111
📋 TL;DR
An unauthenticated adjacent attacker can send crafted Ethernet frames to Cisco Nexus 3000/9000 Series Switches in standalone NX-OS mode, causing the device to reload and creating a denial of service. This affects network administrators using these switches in environments where attackers have adjacent network access.
💻 Affected Systems
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 9000 Series Switches
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation causes repeated device reloads, creating extended network outages and disrupting all services running through affected switches.
Likely Case
Attackers with adjacent access cause periodic device reloads, resulting in intermittent network downtime and service disruption.
If Mitigated
With proper network segmentation and access controls, only authorized adjacent devices can reach the vulnerable interface, limiting exploit potential.
🎯 Exploit Status
Exploitation requires sending sustained crafted Ethernet frames, which requires network access and knowledge of frame crafting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific fixed releases
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k-healthdos-eOqSWK4g
Restart Required: No
Instructions:
1. Check current NX-OS version. 2. Download appropriate fixed release from Cisco. 3. Follow Cisco's upgrade procedures for Nexus switches. 4. Verify upgrade completion and monitor for stability.
🔧 Temporary Workarounds
Implement Network Segmentation
allRestrict access to the health monitoring interface to trusted devices only using VLANs, ACLs, or private networks.
interface ethernet 1/1
switchport access vlan 100
switchport mode access
🧯 If You Can't Patch
- Implement strict network access controls to limit adjacent device access to vulnerable switches.
- Monitor network traffic for unusual Ethernet frame patterns and set up alerts for device reloads.
🔍 How to Verify
Check if Vulnerable:
Check if device is Cisco Nexus 3000/9000 Series running NX-OS in standalone mode using 'show version' command.Check Version:
show version | include NX-OSVerify Fix Applied:
Verify NX-OS version is at or above the fixed release specified in Cisco's advisory using 'show version'.📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads in system logs
- Health monitoring service errors or crashes
Network Indicators:
- Unusual sustained Ethernet frame traffic to switch management interfaces
- Patterns of crafted frames matching exploit characteristics
SIEM Query:
source="nexus_switch" AND (event_type="reload" OR message="unexpected reload")