CVE-2025-20316 Overview
CVE-2025-20316 is an access control weakness [CWE-284] in the access control list (ACL) programming of Cisco IOS XE Software running on Cisco Catalyst 9500X and 9600X Series Switches. An unauthenticated, remote attacker can bypass a configured egress ACL applied to a switch virtual interface (SVI). The flaw stems from how the platform handles traffic flooding when a MAC address is unlearned or the MAC address table is exhausted. Cisco published the advisory on September 24, 2025.
Critical Impact
Attackers can send traffic through an affected switch that should be denied by an egress ACL, weakening network segmentation between VLANs.
Affected Products
- Cisco IOS XE Software running on Cisco Catalyst 9500X Series Switches
- Cisco IOS XE Software running on Cisco Catalyst 9600X Series Switches
- Switch virtual interfaces (SVIs) with egress ACLs applied
Discovery Timeline
- 2025-09-24 - CVE-2025-20316 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-20316
Vulnerability Analysis
The vulnerability affects egress ACL enforcement on switch virtual interfaces in Cisco Catalyst 9500X and 9600X Series Switches. When a VLAN flushes its MAC address table, or when the MAC address table becomes full, the switch floods frames destined for unlearned MAC addresses across the VLAN. Frames flooded in this condition are forwarded without the configured egress ACL being applied. The result is a segmentation bypass that permits traffic an administrator explicitly intended to block.
The issue is a control-plane and forwarding interaction rather than a code execution flaw. Attackers do not need credentials, user interaction, or existing access to the management plane. Successful exploitation impacts integrity of the enforced access policy but does not directly disclose data or crash the device.
Root Cause
The root cause is improper access control [CWE-284] in the ACL programming logic for SVIs. Egress ACL evaluation is skipped for frames flooded due to unknown-unicast conditions on affected Catalyst platforms. Cisco's advisory attributes the behavior to the specific ASIC and forwarding path used by the 9500X and 9600X hardware families.
Attack Vector
An attacker on a reachable network segment can trigger the vulnerable condition by causing the target VLAN to flush its MAC address table or by generating enough unique source MAC addresses to fill the table. Once the table is in this state, traffic sent to destinations behind the SVI is flooded rather than switched normally, bypassing the egress ACL. No authentication is required. Refer to the Cisco Security Advisory for full technical details.
Detection Methods for CVE-2025-20316
Indicators of Compromise
- Unexpected MAC address table flushes or repeated MAC table full events on Catalyst 9500X or 9600X switches.
- High rates of unknown-unicast flooding on VLANs that terminate on an SVI with an egress ACL.
- Traffic reaching hosts behind an SVI that should have been denied by the configured egress ACL.
Detection Strategies
- Monitor show mac address-table count and syslog messages related to MAC table capacity and VLAN flush events.
- Compare NetFlow or IPFIX records at ingress and egress of protected VLANs to identify flows that traverse the SVI despite matching a deny ACE.
- Correlate switch telemetry with endpoint and network detection data in a centralized data lake to surface anomalous cross-VLAN communication.
Monitoring Recommendations
- Alert on sustained unknown-unicast flooding rates exceeding a baseline threshold per VLAN.
- Track ACL hit counters with show access-lists and investigate sudden drops in matched deny counts.
- Baseline MAC table utilization on affected switches and alert when utilization approaches capacity.
How to Mitigate CVE-2025-20316
Immediate Actions Required
- Identify Catalyst 9500X and 9600X switches running Cisco IOS XE and inventory any SVIs configured with egress ACLs.
- Apply the fixed Cisco IOS XE release identified in the Cisco Security Advisory.
- Review network segmentation assumptions that depend on egress ACLs on affected SVIs.
Patch Information
Cisco has published fixed software releases for affected Catalyst 9500X and 9600X switches. Consult the vendor advisory for the specific IOS XE train and version that resolves the ACL bypass. There are no listed public exploits, and this CVE is not present on the CISA Known Exploited Vulnerabilities catalog.
Workarounds
- Apply equivalent access restrictions as ingress ACLs on upstream interfaces where feasible, since ingress evaluation is not affected by the flooding condition.
- Increase MAC address table sizing where the platform allows and reduce events that trigger VLAN-wide MAC flushes, such as topology churn from spanning-tree changes.
- Constrain the number of hosts per VLAN and use port security to limit the rate at which the MAC address table can be filled by an attacker.
# Configuration example: apply equivalent filtering at ingress as a compensating control
interface GigabitEthernet1/0/1
ip access-group RESTRICT-INBOUND in
# Limit learned MAC addresses per access port to reduce table exhaustion risk
interface GigabitEthernet1/0/1
switchport port-security
switchport port-security maximum 4
switchport port-security violation restrict
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

