CVE-2025-20241
📋 TL;DR
An unauthenticated attacker on the same Layer 2 network can send a specially crafted IS-IS packet to vulnerable Cisco Nexus switches, causing the IS-IS routing process to restart and potentially triggering a full device reload. This results in a denial of service condition affecting network availability. Only Cisco Nexus 3000 and 9000 Series switches running standalone NX-OS with IS-IS enabled are vulnerable.
💻 Affected Systems
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 9000 Series Switches
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device reload causing extended network outage, routing protocol reconvergence, and potential cascading failures in the network infrastructure.
Likely Case
IS-IS process restart causing temporary routing instability and brief network disruption until the process recovers or the device reloads.
If Mitigated
Minimal impact if IS-IS is disabled on vulnerable devices or if proper network segmentation prevents Layer 2 adjacency to attackers.
🎯 Exploit Status
Exploitation requires Layer 2 adjacency to the target device and knowledge of IS-IS protocol packet crafting. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific fixed releases per platform
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n39k-isis-dos-JhJA8Rfx
Restart Required: Yes
Instructions:
1. Review Cisco Security Advisory for specific fixed releases. 2. Download appropriate software from Cisco.com. 3. Schedule maintenance window. 4. Upgrade NX-OS software following Cisco's upgrade procedures. 5. Verify IS-IS functionality post-upgrade.
🔧 Temporary Workarounds
Disable IS-IS Protocol
allIf IS-IS is not required for network operations, disable it on vulnerable devices
configure terminal
no router isis
end
copy running-config startup-config
Implement Network Segmentation
allRestrict Layer 2 access to IS-IS enabled interfaces using VLANs, ACLs, or private VLANs
configure terminal
interface ethernet X/Y
switchport mode access
switchport access vlan Z
end
copy running-config startup-config
🧯 If You Can't Patch
- Implement strict Layer 2 security controls to prevent unauthorized devices from becoming adjacent to vulnerable switches
- Monitor IS-IS process health and device reloads, and establish rapid response procedures for potential DoS incidents
🔍 How to Verify
Check if Vulnerable:
Check if device is Cisco Nexus 3000/9000 Series running standalone NX-OS with IS-IS enabled using 'show version' and 'show running-config | include router isis'Check Version:
show version | include SoftwareVerify Fix Applied:
Verify NX-OS version is at or above the fixed release specified in Cisco advisory using 'show version'📡 Detection & Monitoring
Log Indicators:
- IS-IS process restart messages
- Unexpected device reloads
- IS-IS adjacency flapping
- System log messages indicating process crashes
Network Indicators:
- Unusual IS-IS traffic patterns
- Crafted IS-IS packets from unexpected sources
- Routing instability in IS-IS domains
SIEM Query:
source="nxos_logs" AND ("IS-IS" AND (restart OR crash OR reload)) OR ("%SYSTEM" AND "reload")