The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-20291

CVE-2024-20291: Cisco NX-OS ACL Bypass Vulnerability

CVE-2024-20291 is an authentication bypass flaw in Cisco NX-OS that allows unauthenticated attackers to bypass ACL protections on Nexus 3000 and 9000 Series Switches. This article covers technical details, impact, and fixes.

Updated: January 22, 2026

CVE-2024-20291 Overview

A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device. This authorization bypass vulnerability enables attackers to circumvent security controls and access network resources that should be protected by properly configured ACLs.

The vulnerability stems from incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device, potentially gaining unauthorized access to protected network segments.

Critical Impact

Unauthenticated remote attackers can bypass ACL protections on port channel subinterfaces, allowing unauthorized network traffic to pass through affected Cisco Nexus switches and access protected resources.

Affected Products

  • Cisco NX-OS versions 9.3(10), 9.3(11), 9.3(12)
  • Cisco Nexus 3000 Series Switches in standalone NX-OS mode
  • Cisco Nexus 9000 Series Switches in standalone NX-OS mode

Discovery Timeline

  • February 29, 2024 - CVE-2024-20291 published to NVD
  • April 30, 2025 - Last updated in NVD database

Technical Details for CVE-2024-20291

Vulnerability Analysis

This vulnerability represents an authorization bypass (CWE-863) and improper access control (CWE-284) issue affecting the ACL enforcement mechanism on Cisco Nexus switches. The flaw exists in how the switch hardware processes ACL rules applied to port channel subinterfaces.

When administrators make configuration changes to port channel member ports, the hardware programming responsible for enforcing ACLs fails to properly update. This creates a window where traffic that should be denied by configured ACL rules is instead permitted to pass through the device. The vulnerability is particularly concerning because it affects the foundational security control mechanism that organizations rely on for network segmentation and access control.

The impact allows attackers to reach network resources that administrators intended to be inaccessible from certain network segments. This can undermine network segmentation strategies and potentially expose sensitive internal systems to unauthorized access.

Root Cause

The root cause of this vulnerability is incorrect hardware programming that occurs during configuration changes to port channel member ports. When port channel configurations are modified, the ACL rules applied to port channel subinterfaces are not properly programmed into the switching hardware. This results in a mismatch between the intended ACL policy (as shown in the software configuration) and the actual hardware-enforced policy.

The issue specifically affects port channel subinterfaces rather than standard physical interfaces or the main port channel interface. This indicates that the hardware programming logic for subinterface ACLs has a defect in how it handles configuration state transitions for port channel members.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying a Cisco Nexus 3000 or 9000 Series switch running a vulnerable NX-OS version
  2. Determining that the target switch uses port channel subinterfaces with ACLs applied
  3. Waiting for or triggering a configuration change to port channel member ports
  4. Sending traffic that would normally be blocked by the ACL through the affected port channel subinterface

The exploitation is straightforward as it simply involves sending network traffic that the ACL should block. If the vulnerability condition exists, the traffic passes through without being filtered.

Since this is a hardware programming issue with network traffic bypass, exploitation involves sending packets through the affected switch interface. The vulnerability allows network traffic that should be denied by ACL rules to pass through when configuration changes have been made to port channel member ports. See the Cisco Security Advisory for detailed technical information and verification steps.

Detection Methods for CVE-2024-20291

Indicators of Compromise

  • Unexpected network traffic reaching protected segments that should be blocked by port channel subinterface ACLs
  • Network monitoring alerts showing connections from sources that ACL rules should deny
  • Traffic analysis revealing access to restricted resources after port channel configuration changes
  • Discrepancies between configured ACL policies and observed traffic patterns on port channel subinterfaces

Detection Strategies

  • Compare the running ACL configuration against actual traffic patterns using NetFlow or sFlow data to identify policy violations
  • Implement network monitoring to detect traffic flows that should be blocked by configured ACLs on port channel subinterfaces
  • Monitor switch configuration change logs and correlate with unexpected traffic patterns
  • Use packet capture at critical network boundaries to verify ACL enforcement is functioning correctly

Monitoring Recommendations

  • Enable syslog monitoring for port channel configuration changes on affected Nexus switches
  • Implement network segmentation verification testing after any configuration changes to port channel members
  • Deploy network intrusion detection systems to identify traffic patterns that violate expected ACL policies
  • Regularly audit ACL effectiveness by testing denied traffic paths through port channel subinterfaces

How to Mitigate CVE-2024-20291

Immediate Actions Required

  • Identify all Cisco Nexus 3000 and 9000 Series switches running NX-OS versions 9.3(10), 9.3(11), or 9.3(12) in your environment
  • Review switch configurations to identify devices using ACLs on port channel subinterfaces
  • Prioritize patching for switches that serve as security boundaries or segment sensitive network resources
  • Consider temporarily applying ACLs to individual physical interfaces as an interim security measure

Patch Information

Cisco has released software updates that address this vulnerability. Administrators should upgrade to a fixed NX-OS release as documented in the Cisco Security Advisory. The advisory provides specific fixed release information and upgrade guidance for affected platforms.

Customers should obtain fixed software through their regular software update channels or contact the Cisco Technical Assistance Center (TAC) for assistance with software upgrades.

Workarounds

  • Apply ACLs directly to individual physical interfaces instead of port channel subinterfaces where feasible
  • Minimize configuration changes to port channel member ports until patches are applied
  • Implement additional network security controls such as firewalls at network boundaries to provide defense-in-depth
  • After any port channel configuration changes, verify ACL enforcement by testing blocked traffic paths
bash
# Verify current NX-OS version on affected switches
show version

# Review port channel subinterface ACL configurations
show running-config interface port-channel
show access-lists summary

# Check for port channel configuration and ACL bindings
show port-channel summary
show ip access-lists interface port-channel

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechCisco Nx Os
  • SeverityMEDIUM
  • CVSS Score5.8
  • EPSS Probability12.18%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-284
  • CWE-863
  • Vendor Resources
  • Cisco Security Advisory
  • Related CVEs
  • CVE-2020-10136: Cisco NX-OS Auth Bypass Vulnerability
  • CVE-2024-20397: Cisco NX-OS Auth Bypass Vulnerability
  • CVE-2024-20399: Cisco NX-OS Software RCE Vulnerability
  • CVE-2021-1587: Cisco NX-OS VXLAN OAM DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English