CVE-2025-20111
Published: 26 February 2025
Summary
CVE-2025-20111 is a high-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Cisco Nexus (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor patches directly remediates the flaw in health monitoring diagnostics that causes device reloads from crafted Ethernet frames.
Denial-of-service protections such as rate limiting on switch ports prevent sustained crafted Ethernet frame floods from triggering the vulnerability.
Input validation of Ethernet frames in health monitoring diagnostics mitigates the incorrect handling that leads to unexpected device reloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in switch health diagnostics allows unauthenticated adjacent attacker to send crafted Ethernet frames triggering device reload, directly enabling application/system exploitation for endpoint DoS.
NVD Description
A vulnerability in the health monitoring diagnostics of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the device to reload unexpectedly, resulting in a denial…
more
of service (DoS) condition. This vulnerability is due to the incorrect handling of specific Ethernet frames. An attacker could exploit this vulnerability by sending a sustained rate of crafted Ethernet frames to an affected device. A successful exploit could allow the attacker to cause the device to reload.
Deeper analysisAI
CVE-2025-20111 is a vulnerability in the health monitoring diagnostics feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches running in standalone NX-OS mode. The issue stems from the incorrect handling of specific Ethernet frames, which could allow an unauthenticated, adjacent attacker to trigger an unexpected device reload, resulting in a denial-of-service (DoS) condition. It has been assigned a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-1220.
An adjacent, unauthenticated attacker could exploit this vulnerability by sending a sustained rate of crafted Ethernet frames to an affected device. Successful exploitation would cause the targeted switch to reload, disrupting network operations and potentially leading to repeated DoS if the attack persists.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k-healthdos-eOqSWK4g provides details on mitigation strategies and available patches.
Details
- CWE(s)