Login Sign Up

CVE-2025-20163

8.7 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to impersonate Cisco NDFC-managed devices via SSH man-in-the-middle attacks due to insufficient host key validation. Attackers could intercept SSH traffic and capture user credentials. Organizations using Cisco Nexus Dashboard Fabric Controller are affected.

💻 Affected Systems

Products:
  • Cisco Nexus Dashboard Fabric Controller (NDFC)
Versions: All versions prior to the fixed release
Operating Systems: Cisco NDFC appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects SSH connections between NDFC and managed devices. Requires SSH to be enabled and accessible.

📦 What is this software?

Nexus Dashboard by Cisco

View all CVEs affecting Nexus Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to network infrastructure, capture credentials, modify configurations, and potentially pivot to other systems.

🟠

Likely Case

Credential theft leading to unauthorized access to managed devices and potential network disruption.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and SSH key management.

🌐 Internet-Facing: HIGH if SSH interfaces are exposed to internet, as unauthenticated remote exploitation is possible.
🏢 Internal Only: MEDIUM to HIGH depending on internal network segmentation and attacker presence.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires man-in-the-middle position on SSH connections. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-shkv-snQJtjrp

Restart Required: Yes

Instructions:

1. Review Cisco advisory for fixed versions. 2. Backup current configuration. 3. Apply NDFC software update. 4. Restart NDFC services. 5. Verify SSH connections to managed devices.

🔧 Temporary Workarounds

Restrict SSH Access

all

Limit SSH connections to NDFC-managed devices using network ACLs and firewall rules

Monitor SSH Connections

all

Implement network monitoring for unusual SSH connection patterns or MITM indicators

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate NDFC SSH traffic
  • Deploy certificate-based authentication and SSH key validation monitoring

🔍 How to Verify

Check if Vulnerable:

Check NDFC version against Cisco advisory. Verify SSH host key validation is properly configured.

Check Version:

show version (in NDFC CLI)

Verify Fix Applied:

Confirm NDFC is running patched version. Test SSH connections to managed devices validate host keys.

📡 Detection & Monitoring

Log Indicators:

  • Failed SSH host key validations
  • Unusual SSH connection sources/timing
  • Multiple SSH connection attempts

Network Indicators:

  • SSH traffic interception patterns
  • Unexpected SSH certificate changes
  • MITM attack signatures

SIEM Query:

source="ndfc" AND (event="ssh_failure" OR event="host_key_mismatch")

📊 Metadata

CVE ID: CVE-2025-20163
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-322
EPSS Score: 0.03% exploit probability (8.7th percentile)
Published: June 4, 2025
Last Updated: July 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20163, you might also want to check these:

CVE-2026-1709 9.4

Keylime versions 7.12.0 and later have a critical authentication bypass vulnerability where the regi...

Same vulnerability type (CWE-322)
CVE-2024-47519 8.3

CVE-2024-47519 is a man-in-the-middle vulnerability in Arista's ETM backup upload functionality that...

Same vulnerability type (CWE-322)
CVE-2025-62501 8.1

A misconfiguration in TP-Link Archer AX53 v1.0's SSH hostkey implementation allows attackers to perf...

Same vulnerability type (CWE-322)