Cisco Nexus 3000 & 9000 Flaw Could Let Attackers Launch DoS Attacks

Cisco has released a high-severity security advisory (Advisory ID: cisco-sa-n39k-isis-dos-JhJA8Rfx) detailing a Denial of Service (DoS) vulnerability affecting the Intermediate System-to-Intermediate System (IS-IS) feature in Cisco NX-OS Software on Nexus 3000 Series and Nexus 9000 Series switches operating in standalone NX-OS mode.

First published on August 27, 2025 at 16:00 GMT, this vulnerability (CVE-2025-20241) carries a CVSS v3.1 Base Score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and stems from improper input validation when parsing ingress IS-IS packets.

class="wp-block-heading" id="vulnerability-details-and-impact">Vulnerability Details and Impact

The root cause is insufficient input validation of crafted IS-IS Protocol Data Units (PDUs).

An unauthenticated, Layer 2-adjacent attacker can exploit this vulnerability by sending a malicious IS-IS packet to a vulnerable device, triggering an unexpected restart of the IS-IS process.

In turn, this abrupt restart can cascade into a full device reload, resulting in a service outage.

No workarounds currently exist, and mitigation relies on deploying software updates provided by Cisco.

Affected platforms include:

• Nexus 3000 Series Switches running NX-OS with IS-IS enabled
• Nexus 9000 Series Switches in standalone NX-OS mode with IS-IS enabled

To verify whether IS-IS is enabled, administrators can execute:

bashswitch# show running-config | include isis
feature isis
ip router isis <process-name>
router isis <process-name>

And to list adjacent IS-IS peers:

bashswitch# show isis adjacency
IS-IS process: <process-name>  VRF: default
System ID       SNPA            Level  State  Hold Time  Interface
2222.abcd.2002  6879.0913.5ed7  1      UP     00:00:09   Ethernet1/48

The vulnerability is classified under CWE-733 (Incorrect Change of Resource Order), and is tracked internally by Cisco Bug ID CSCwn49153.

No public exploits or malicious activity leveraging this issue have been detected to date.

Remediation and Best Practices

Cisco has released free software updates to address the vulnerability.

Customers should obtain the latest NX-OS releases through Cisco’s usual update channels, ensuring that the affected devices have sufficient memory and that feature set licenses are valid.

Detailed fixed-software listings are available in the advisory’s “Fixed Software” section.

In the absence of direct workarounds, Cisco recommends enabling IS-IS area authentication to require valid keys for peer adjacency establishment, thus reducing the attack surface.

Configuration guidance can be found in the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide:

bashswitch(config)# router isis <process-name>
switch(config-router)# authentication mode md5
switch(config-router)# authentication key-chain <chain-name>

Organizations without active service contracts should contact Cisco TAC with the advisory URL and product serial number to obtain software updates.

Continuous monitoring via Cisco Software Checker and regular consultation of PSIRT advisories is advised to maintain network resilience.

For full advisory details, download the CSAF document or visit Cisco’s Security Center.

Continuous updates and support information are available through Cisco’s Support and Downloads portal.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Cisco Nexus 3000 & 9000 Flaw Could Let Attackers Launch DoS Attacks appeared first on Cyber Security News.