CVE-2025-20191 Overview
CVE-2025-20191 is a denial of service vulnerability in the Switch Integrated Security Features (SISF) component of multiple Cisco network operating systems. The flaw affects Cisco IOS, IOS XE, NX-OS, and Wireless LAN Controller (WLC) AireOS Software. An unauthenticated, adjacent attacker can send a crafted DHCPv6 packet to trigger a device reload. The vulnerability stems from incorrect handling of DHCPv6 packets and is classified under [CWE-805] (Buffer Access with Incorrect Length Value). Successful exploitation forces affected devices into a reload state, disrupting network availability.
Critical Impact
An adjacent attacker can reload affected Cisco network devices by sending a single crafted DHCPv6 packet, causing service-wide network outages.
Affected Products
- Cisco IOS Software
- Cisco IOS XE Software
- Cisco NX-OS Software
- Cisco Wireless LAN Controller (WLC) AireOS Software
Discovery Timeline
- 2025-05-07 - CVE-2025-20191 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-20191
Vulnerability Analysis
The vulnerability resides in the Switch Integrated Security Features (SISF) subsystem, which provides Layer 2 security services including IPv6 first-hop security, DHCP snooping, and device tracking. SISF inspects DHCPv6 packets traversing the device to build binding tables and enforce security policies.
When processing a malformed DHCPv6 packet, SISF performs a buffer access using an incorrect length value. This memory handling defect, mapped to [CWE-805], causes the device to crash and reload. The result is a denial of service condition affecting all traffic forwarded through the device.
Because SISF inspection occurs before normal forwarding decisions, the attacker does not need credentials or higher-layer access. The attack proceeds from any host able to inject DHCPv6 traffic onto a Layer 2 segment monitored by the affected device.
Root Cause
The root cause is improper boundary validation when parsing DHCPv6 protocol fields within SISF. The parser dereferences or copies data using length values derived from attacker-controlled packet content. The mismatch between expected and actual buffer sizes corrupts memory or triggers a watchdog reset, forcing the device to reload.
Attack Vector
The attack vector is adjacent network (AV:A), meaning the attacker must reside on the same broadcast domain or logical Layer 2 segment as the target. No authentication or user interaction is required. The attacker crafts a DHCPv6 packet with malformed option fields or invalid length encodings and transmits it toward an affected switch, router, or controller running SISF. The current EPSS score is 0.098%, placing it in the 26th percentile for predicted exploitation likelihood.
No public proof-of-concept exploit code is available for CVE-2025-20191. Refer to the Cisco Security Advisory for vendor technical details.
Detection Methods for CVE-2025-20191
Indicators of Compromise
- Unexpected device reloads with crash files referencing SISF or IPv6 snooping processes
- Sudden loss of Layer 2 adjacency or DHCPv6 binding table flushes on affected devices
- Bursts of malformed DHCPv6 traffic originating from a single MAC address on a monitored VLAN
Detection Strategies
- Inspect syslog and crash archives for %SISF process exceptions or unexpected RELOAD events correlated with DHCPv6 activity
- Deploy network telemetry to flag DHCPv6 packets with anomalous option lengths or oversized fields
- Correlate device reload timestamps across multiple switches to identify coordinated adjacent attacks
Monitoring Recommendations
- Forward Cisco device syslogs to a centralized SIEM and alert on reload events tagged with SISF or DHCPv6 keywords
- Enable port-level DHCPv6 rate limiting and log violations on access ports
- Monitor SNMP traps for cefcModuleStatusChange and ciscoEnvMonShutdownNotification events that may indicate triggered reloads
How to Mitigate CVE-2025-20191
Immediate Actions Required
- Apply Cisco fixed software releases as identified in the Cisco Security Advisory
- Inventory all IOS, IOS XE, NX-OS, and WLC AireOS devices with SISF, IPv6 snooping, or device tracking enabled
- Restrict DHCPv6 traffic at the access layer using port ACLs or VLAN segmentation until patches are deployed
Patch Information
Cisco has published fixed software versions in the advisory cisco-sa-sisf-dos-ZGwt4DdY. Administrators should consult the advisory for release-specific fixed train information and upgrade paths aligned with their deployed hardware and software combinations.
Workarounds
- Disable SISF, IPv6 snooping, or device tracking features on segments where they are not required
- Implement DHCPv6 guard or IPv6 RA guard policies that filter DHCPv6 traffic to trusted server ports only
- Enforce strict Layer 2 access controls including 802.1X authentication to limit which endpoints can inject DHCPv6 traffic
- Apply storm control or rate limiting on access interfaces to reduce the volume of crafted DHCPv6 packets reaching the control plane
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
