CVE-2025-20241
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-27

Last updated on: 2025-08-29

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, which could cause an affected device to reload. This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device. A successful exploit could allow the attacker to cause the unexpected restart of the IS-IS process, which could cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2025-08-29
Generated
2026-05-07
AI Q&A
2025-08-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-20241
EUVD
EUVD-2025-27686
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
cisco nx-os *
cisco nexus_3000_series_switches *
cisco nexus_9000_series_switches *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-733 The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the IS-IS routing feature in Cisco NX-OS Software on Nexus 3000 and 9000 Series Switches in standalone mode. It is caused by insufficient input validation when parsing incoming IS-IS packets. An unauthenticated attacker who is Layer 2-adjacent to the device can send a specially crafted IS-IS packet that causes the IS-IS process to unexpectedly restart. This restart can lead to the device reloading, resulting in a denial of service (DoS) condition. [1]


How can this vulnerability impact me? :

Exploitation of this vulnerability can cause the IS-IS process on the affected device to restart unexpectedly, which may cause the entire device to reload. This results in a denial of service (DoS) condition, disrupting network routing and potentially causing network outages or degraded performance. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if IS-IS is enabled and viewing IS-IS adjacencies on your Cisco Nexus 3000 or 9000 Series Switches running standalone NX-OS mode. Suggested commands include: `show running-config | include isis` to check if IS-IS is enabled, and `show isis adjacency` to view IS-IS adjacencies. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include enabling IS-IS area authentication to require attackers to pass authentication before exploiting the vulnerability. Additionally, obtain and apply the fixed software updates released by Cisco through official channels if you have a valid service contract. There are no direct workarounds available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart