Cisco IOS XE Software on Cisco Catalyst 9500X and 9600X Series Switches Virtual Interface Access Control List Bypass Vulnerability
TL;DR 📌
A Medium severity vulnerability has been identified in Cisco IOS XE Software affecting Catalyst 9500X and 9600X Series Switches. An unauthenticated remote attacker could exploit this vulnerability to bypass configured access control lists (ACLs) on affected devices. Cisco has released software updates to address this issue, and there are workarounds available.
What happened 🕵️♂️
A vulnerability in the access control list (ACL) programming of Cisco IOS XE Software allows an unauthenticated, remote attacker to bypass a configured ACL on affected devices. This occurs when an attacker floods traffic from an unlearned MAC address on a switch virtual interface (SVI) with an egress ACL applied. If the MAC address table is full or flushed, the attacker could successfully bypass the egress ACL.
Affected products 🖥️
The vulnerability affects Cisco Catalyst 9500X and 9600X Series Switches running a vulnerable release of Cisco IOS XE Software with an egress ACL configured on an SVI.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 1.0 | Initial public release. | |
| Cisco IOS XE Software | Not specified |
Workarounds 🧯
One workaround is to convert egress ACLs to ingress ACLs. However, this may require extensive configuration changes depending on the number of interfaces configured with egress ACLs. Customers should evaluate the applicability and potential impact of this workaround in their own environments before implementation.
Risk in context 🎯
With a CVSS score of 5.3, this vulnerability is rated as Medium severity. The risk is primarily due to potential unauthorized access to network resources, as an attacker could exploit this vulnerability without authentication. While the vulnerability does not directly impact availability, it could lead to unauthorized data access.
Fast facts ⚡
- Vulnerability ID: CVE-2025-20316
- CVSS Score: 5.3 (Medium)
- Affected Products: Cisco Catalyst 9500X and 9600X Series Switches
- Exploitation Potential: Unauthenticated remote access
- Workaround Available: Yes, but requires careful evaluation
For leadership 🧭
This vulnerability presents a Medium risk to our network infrastructure, as it allows unauthenticated remote attackers to bypass access control lists on affected switches. The exposure is primarily driven by the potential for unauthorized access to network resources, with no immediate availability impact.
Remediation Ask: Patch within 30 days, as fixed software is not yet available.
Operational Impact: Expect a brief maintenance window with no config drift anticipated.
Now / Next / Later:
- Now: Assess affected devices and consider implementing workarounds.
- Next: Monitor for updates on fixed software releases from Cisco.
- Later: Plan for patch deployment once the fixed software is available.
Please note that exploitation has not been publicly reported, but vigilance is advised.