CVE-2025-20365
📋 TL;DR
An unauthenticated attacker on the same wireless network can send crafted IPv6 Router Advertisement packets to temporarily change the IPv6 gateway on affected Cisco Access Points. This causes intermittent packet loss for wireless clients. Only Cisco Access Points with specific software versions are affected.
💻 Affected Systems
- Cisco Access Points
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Temporary denial of service for all wireless clients on the affected access point due to IPv6 gateway redirection causing packet loss.
Likely Case
Intermittent connectivity issues for wireless clients as the IPv6 gateway changes temporarily.
If Mitigated
Minimal impact if IPv6 is disabled or proper network segmentation isolates wireless clients.
🎯 Exploit Status
Requires wireless network access and ability to send crafted IPv6 RA packets. No authentication needed once associated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ipv6-gw-tUAzpn9O
Restart Required: No
Instructions:
1. Review Cisco advisory for affected versions. 2. Upgrade to recommended fixed version. 3. No restart required according to advisory.
🔧 Temporary Workarounds
Disable IPv6 on affected access points
Cisco Access PointsPrevents exploitation by disabling IPv6 functionality entirely
no ipv6 enable
Implement RA Guard
Cisco Access PointsConfigure RA Guard to filter unauthorized Router Advertisement packets
ipv6 nd raguard policy
interface configuration: ipv6 nd raguard attach-policy
🧯 If You Can't Patch
- Segment wireless networks to limit blast radius
- Monitor for unusual IPv6 RA packet patterns from wireless clients
🔍 How to Verify
Check if Vulnerable:
Check Cisco Access Point software version against affected versions in advisoryCheck Version:
show version | include SoftwareVerify Fix Applied:
Verify software version is updated to fixed version listed in advisory📡 Detection & Monitoring
Log Indicators:
- Unusual IPv6 RA packets from wireless clients
- Multiple RA packets from single client
Network Indicators:
- Abnormal IPv6 gateway changes
- Increased IPv6 RA packet volume from wireless segment
SIEM Query:
source:wireless AND protocol:IPv6 AND packet_type:RA AND count > threshold