Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-20316

CVE-2025-20316: Cisco IOS XE ACL Bypass Vulnerability

CVE-2025-20316 is an authentication bypass flaw in Cisco IOS XE Software for Catalyst 9500X and 9600X switches that allows attackers to bypass configured ACLs. This article covers technical details, affected systems, and mitigation.

Published:

CVE-2025-20316 Overview

CVE-2025-20316 is an access control weakness [CWE-284] in the access control list (ACL) programming of Cisco IOS XE Software running on Cisco Catalyst 9500X and 9600X Series Switches. An unauthenticated, remote attacker can bypass a configured egress ACL applied to a switch virtual interface (SVI). The flaw stems from how the platform handles traffic flooding when a MAC address is unlearned or the MAC address table is exhausted. Cisco published the advisory on September 24, 2025.

Critical Impact

Attackers can send traffic through an affected switch that should be denied by an egress ACL, weakening network segmentation between VLANs.

Affected Products

  • Cisco IOS XE Software running on Cisco Catalyst 9500X Series Switches
  • Cisco IOS XE Software running on Cisco Catalyst 9600X Series Switches
  • Switch virtual interfaces (SVIs) with egress ACLs applied

Discovery Timeline

  • 2025-09-24 - CVE-2025-20316 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-20316

Vulnerability Analysis

The vulnerability affects egress ACL enforcement on switch virtual interfaces in Cisco Catalyst 9500X and 9600X Series Switches. When a VLAN flushes its MAC address table, or when the MAC address table becomes full, the switch floods frames destined for unlearned MAC addresses across the VLAN. Frames flooded in this condition are forwarded without the configured egress ACL being applied. The result is a segmentation bypass that permits traffic an administrator explicitly intended to block.

The issue is a control-plane and forwarding interaction rather than a code execution flaw. Attackers do not need credentials, user interaction, or existing access to the management plane. Successful exploitation impacts integrity of the enforced access policy but does not directly disclose data or crash the device.

Root Cause

The root cause is improper access control [CWE-284] in the ACL programming logic for SVIs. Egress ACL evaluation is skipped for frames flooded due to unknown-unicast conditions on affected Catalyst platforms. Cisco's advisory attributes the behavior to the specific ASIC and forwarding path used by the 9500X and 9600X hardware families.

Attack Vector

An attacker on a reachable network segment can trigger the vulnerable condition by causing the target VLAN to flush its MAC address table or by generating enough unique source MAC addresses to fill the table. Once the table is in this state, traffic sent to destinations behind the SVI is flooded rather than switched normally, bypassing the egress ACL. No authentication is required. Refer to the Cisco Security Advisory for full technical details.

Detection Methods for CVE-2025-20316

Indicators of Compromise

  • Unexpected MAC address table flushes or repeated MAC table full events on Catalyst 9500X or 9600X switches.
  • High rates of unknown-unicast flooding on VLANs that terminate on an SVI with an egress ACL.
  • Traffic reaching hosts behind an SVI that should have been denied by the configured egress ACL.

Detection Strategies

  • Monitor show mac address-table count and syslog messages related to MAC table capacity and VLAN flush events.
  • Compare NetFlow or IPFIX records at ingress and egress of protected VLANs to identify flows that traverse the SVI despite matching a deny ACE.
  • Correlate switch telemetry with endpoint and network detection data in a centralized data lake to surface anomalous cross-VLAN communication.

Monitoring Recommendations

  • Alert on sustained unknown-unicast flooding rates exceeding a baseline threshold per VLAN.
  • Track ACL hit counters with show access-lists and investigate sudden drops in matched deny counts.
  • Baseline MAC table utilization on affected switches and alert when utilization approaches capacity.

How to Mitigate CVE-2025-20316

Immediate Actions Required

  • Identify Catalyst 9500X and 9600X switches running Cisco IOS XE and inventory any SVIs configured with egress ACLs.
  • Apply the fixed Cisco IOS XE release identified in the Cisco Security Advisory.
  • Review network segmentation assumptions that depend on egress ACLs on affected SVIs.

Patch Information

Cisco has published fixed software releases for affected Catalyst 9500X and 9600X switches. Consult the vendor advisory for the specific IOS XE train and version that resolves the ACL bypass. There are no listed public exploits, and this CVE is not present on the CISA Known Exploited Vulnerabilities catalog.

Workarounds

  • Apply equivalent access restrictions as ingress ACLs on upstream interfaces where feasible, since ingress evaluation is not affected by the flooding condition.
  • Increase MAC address table sizing where the platform allows and reduce events that trigger VLAN-wide MAC flushes, such as topology churn from spanning-tree changes.
  • Constrain the number of hosts per VLAN and use port security to limit the rate at which the MAC address table can be filled by an attacker.
bash
# Configuration example: apply equivalent filtering at ingress as a compensating control
interface GigabitEthernet1/0/1
  ip access-group RESTRICT-INBOUND in

# Limit learned MAC addresses per access port to reduce table exhaustion risk
interface GigabitEthernet1/0/1
  switchport port-security
  switchport port-security maximum 4
  switchport port-security violation restrict

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.