CVE-2025-20241: Cisco NX-OS IS-IS DoS Vulnerability

CVE-2025-20241 Overview

CVE-2025-20241 is a denial of service vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software. The flaw affects Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches running in standalone NX-OS mode. An unauthenticated, Layer 2-adjacent attacker can send a crafted IS-IS packet to force the IS-IS process to restart, which can cause the affected device to reload. The vulnerability is tracked under [CWE-733] and stems from insufficient input validation when parsing ingress IS-IS packets.

Critical Impact

A single crafted IS-IS packet from a Layer 2-adjacent attacker can trigger an unexpected device reload, producing a denial of service on core data center switches.

Affected Products

• Cisco NX-OS Software running on Cisco Nexus 3000 Series Switches
• Cisco NX-OS Software running on Cisco Nexus 9000 Series Switches in standalone NX-OS mode
• Devices with the IS-IS routing feature enabled

Discovery Timeline

• 2025-08-27 - CVE-2025-20241 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-20241

Vulnerability Analysis

The vulnerability resides in the IS-IS packet parsing logic of Cisco NX-OS Software. IS-IS is a link-state interior gateway protocol used to exchange routing information between Layer 3 devices within an autonomous system. When the IS-IS process on an affected Nexus switch receives an ingress packet, the parser fails to adequately validate fields within the packet structure. A malformed packet triggers an error condition that causes the IS-IS process to crash and restart. Depending on the device state, the restart can cascade into a full device reload, producing a denial of service condition. The attack scope is changed because impact extends beyond the IS-IS process to the entire device.

Root Cause

The root cause is improper handling of an exceptional condition during IS-IS packet parsing, classified as [CWE-733] (Compiler Optimization Removal or Modification of Security-Critical Code) per the NVD record, with insufficient input validation cited in the vendor advisory. The IS-IS daemon does not safely reject malformed protocol data units (PDUs) and instead enters an unrecoverable state.

Attack Vector

Exploitation requires Layer 2 adjacency to the target device. The attacker must be on the same broadcast domain or directly connected link as the Nexus switch running IS-IS. No authentication or user interaction is required. The attacker sends a single crafted IS-IS PDU to the affected interface. Successful exploitation does not yield code execution or data disclosure but reliably disrupts availability of the switch and the routing topology it participates in.

No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Cisco Security Advisory for technical specifics.

Detection Methods for CVE-2025-20241

Indicators of Compromise

• Unexpected restarts of the isis process logged in NX-OS system logs
• Unscheduled device reloads on Nexus 3000 or Nexus 9000 switches with IS-IS enabled
• IS-IS adjacency flaps coinciding with the receipt of unusual ingress IS-IS PDUs
• Syslog messages referencing IS-IS process crashes or core dumps in bootflash:

Detection Strategies

• Monitor NX-OS syslog and show system internal sysmgr service name isis output for repeated process restarts
• Correlate IS-IS adjacency state changes across the routing topology to identify a common Layer 2 segment as the source
• Capture ingress IS-IS frames on affected interfaces and inspect for malformed TLVs or out-of-spec field lengths
• Alert on core file generation events under show cores referencing the IS-IS process

Monitoring Recommendations

• Forward NX-OS syslog and SNMP traps to a centralized SIEM or data lake for routing protocol event correlation
• Baseline normal IS-IS PDU rates per interface and alert on anomalies from access-layer ports that should not carry IS-IS
• Track device uptime and reload reasons through network management tooling to identify clustered DoS events

How to Mitigate CVE-2025-20241

Immediate Actions Required

• Identify all Nexus 3000 and Nexus 9000 standalone NX-OS devices with the IS-IS feature enabled using show running-config | include router isis
• Apply the fixed NX-OS software releases listed in the Cisco Security Advisory as soon as maintenance windows allow
• Restrict Layer 2 adjacency to trusted devices by disabling IS-IS on interfaces facing untrusted segments
• Enable IS-IS authentication on all adjacencies to limit which peers can establish a session

Patch Information

Cisco has published fixed software releases in the Cisco Security Advisory cisco-sa-n39k-isis-dos-JhJA8Rfx. Administrators should consult the advisory to map their current NX-OS train to the corresponding fixed version and upgrade affected switches. No workaround that fully eliminates the vulnerability is provided by the vendor outside of upgrading.

Workarounds

• Disable the IS-IS routing process on devices where it is not required using no feature isis
• Configure IS-IS HMAC-MD5 or keychain-based authentication to reduce the population of peers able to send IS-IS PDUs
• Apply Layer 2 controls such as port security and access control on edge ports to prevent untrusted hosts from injecting IS-IS frames
• Segment management and routing planes to ensure IS-IS adjacencies only form between trusted infrastructure

# Example NX-OS hardening: limit IS-IS to trusted interfaces and require authentication
configure terminal
 key chain ISIS-KEYS
  key 1
   key-string <strong-secret>
 router isis 1
  authentication-type md5 level-1
  authentication-type md5 level-2
  authentication key-chain ISIS-KEYS level-1
  authentication key-chain ISIS-KEYS level-2
 interface Ethernet1/1
  no ip router isis 1
end