CVE Alert: CVE-2025-20241 - Cisco - Cisco NX-OS Software

CVE-2025-20241

HIGHNo exploitation known

A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, which could cause an affected device to reload. This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device. A successful exploit could allow the attacker to cause the unexpected restart of the IS-IS process, which could cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device.

CVSS v3.1 (7.4)

AV ADJACENT_NETWORK · AC LOW · PR NONE · UI NONE · S CHANGED

Vendor

Cisco

Product

Cisco NX-OS Software

Versions

9.2(3) | 7.0(3)I5(2) | 6.0(2)A8(7a) | 7.0(3)I4(5) | 7.0(3)I4(6) | 7.0(3)I4(3) | 9.2(2v) | 7.0(3)I4(7) | 7.0(3)I4(1) | 7.0(3)I4(8) | 7.0(3)I4(2) | 6.0(2)A8(11) | 9.2(1) | 9.2(2t) | 9.2(3y) | 7.0(3)I4(1t) | 7.0(3)I7(6z) | 9.3(2) | 7.0(3)F3(3) | 7.0(3)I7(3z) | 7.0(3)IM7(2) | 6.0(2)A8(11b) | 7.0(3)I7(5a) | 7.0(3)I6(1) | 7.0(3)I5(3b) | 9.2(4) | 6.0(2)A8(10) | 6.0(2)A8(2) | 7.0(3)IC4(4) | 7.0(3)F3(3c) | 7.0(3)F3(1) | 7.0(3)F3(5) | 7.0(3)I7(2) | 7.0(3)I5(3) | 7.0(3)I7(3) | 6.0(2)A8(6) | 7.0(3)I6(2) | 6.0(2)A8(5) | 9.3(1) | 6.0(2)A8(7) | 7.0(3)I7(6) | 6.0(2)A8(11a) | 7.0(3)I4(8z) | 7.0(3)I4(9) | 7.0(3)I7(4) | 7.0(3)I7(7) | 6.0(2)A8(9) | 6.0(2)A8(1) | 6.0(2)A8(10a) | 7.0(3)I5(1) | 9.3(1z) | 9.2(2) | 7.0(3)F3(4) | 7.0(3)I4(8b) | 6.0(2)A8(3) | 7.0(3)I4(6t) | 7.0(3)I5(3a) | 6.0(2)A8(8) | 7.0(3)I7(5) | 7.0(3)F3(3a) | 6.0(2)A8(4) | 7.0(3)I4(8a) | 7.0(3)F3(2) | 7.0(3)I4(4) | 7.0(3)I7(1) | 7.0(3)IA7(2) | 7.0(3)IA7(1) | 6.0(2)A8(7b) | 6.0(2)A8(4a) | 9.3(3) | 7.0(3)I7(8) | 9.3(4) | 9.3(5) | 7.0(3)I7(9) | 9.3(6) | 10.1(2) | 10.1(1) | 9.3(5w) | 9.3(7) | 9.3(7k) | 7.0(3)I7(9w) | 10.2(1) | 9.3(7a) | 9.3(8) | 7.0(3)I7(10) | 10.2(1q) | 10.2(2) | 9.3(9) | 10.1(2t) | 10.2(3) | 10.2(3t) | 9.3(10) | 10.2(2a) | 10.3(1) | 10.2(4) | 10.3(2) | 9.3(11) | 10.3(3) | 10.2(5) | 9.3(12) | 10.2(3v) | 10.4(1) | 10.3(99w) | 10.2(6) | 10.3(3w) | 10.3(99x) | 10.3(3o) | 10.3(4) | 10.3(3p) | 10.3(4a) | 10.4(2) | 10.3(3q) | 9.3(13) | 10.3(5) | 10.2(7) | 10.4(3) | 10.3(3x) | 10.3(4g) | 10.5(1) | 10.2(8) | 10.3(3r) | 10.3(6) | 9.3(14) | 10.4(4) | 10.3(4h) | 10.5(2) | 10.4(4g)

CWE

CWE-733, Compiler Optimization Removal or Modification of Security-critical Code

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Published

2025-08-27T16:23:55.242Z

Updated

2025-08-27T18:18:32.250Z

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n39k-isis-dos-JhJA8Rfx

AI Summary Analysis

Risk verdict

High risk: an adjacent attacker can trigger a denial-of-service by sending crafted IS-IS packets, potentially causing a device reload.

Why this matters

Unauthenticated, low-effort exploitation could disrupt routing and service availability in networks that rely on Layer 2 IS-IS. In data-centre or large-enterprise fabrics with spine-leaf or core switches, a single reload can propagate outages and impact multiple services.

Most likely attack path

An attacker must be on the same Layer 2 segment to deliver the crafted IS-IS packet. With low complexity and no privileges required, automated testing or broad probing is plausible. If successful, the IS-IS process restarts or the device reboots, causing downtime and potential routing instability across adjacent devices.

Who is most exposed

Networks using IS-IS on core/aggregation switches in data-centre or large-enterprise environments, especially where devices operate in a shared L2 fabric and NX-OS-like modes are deployed.

Detection ideas

IS-IS process restart or device reboot events logged in syslog.
Spikes in control-plane CPU/memory coincident with IS-IS traffic surges.
Unusual IS-IS adjacency flaps or mass SPF recalculations.
Anomalous IS-IS packet rate or malformed/unexpected LSPs detected by network telemetry.

Mitigation and prioritisation

Apply vendor-provided patch or upgrade to a fixed NX-OS/Nx-OS-equivalent release; coordinate with change-management and test in a lab before wide rollout.
If immediate patching isn’t feasible, disable IS-IS where not required, or restrict Layer 2 adjacencies via access controls and segmentation to limit exposure.
Review and tighten network segmentation (VLANs, isolation of vulnerable devices) and ensure robust backups and a rollback plan.
Enhance monitoring and alerting for IS-IS process stability, including automated detection of unexpected reboots and routing churn.
Note: no KEV or EPSS data provided here; monitor for updates and escalate if those indicators change (treat as priority 1 if they indicate high exploitation likelihood).

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: cisco, cisco-nx-os-software, CVE, cve-2025-20241, OSINT, threatintel

CVE Alert: CVE-2025-20241 – Cisco – Cisco NX-OS Software