Cisco Nexus BGP DoS Vulnerability: Transitive Attribute Parsing Flaw (CVE-2025-20171)

Cisco Nexus 3000 and 9000 Series Switches BGP Denial of Service Vulnerability Summary Vulnerability Overview Vulnerability Name: Cisco Nexus 3000 and 9000 Series Switches Border Gateway Protocol (BGP) Denial of Service Vulnerability CVE Number: CVE-2025-20171 CVSS Score: 6.8 (Medium) Vulnerability Principle: Due to incorrect parsing of BGP attributes (transitive BGP attributes), an attacker can exploit this vulnerability by sending specially crafted BGP updates to established BGP peers. If the updates propagate to the affected device, it may cause the device to drop the BGP session and generate BGP peer flapping, resulting in a Denial of Service (DoS). Trigger Conditions: This vulnerability is related to the feature, which is enabled by default when configuring BGP. Scope of Impact Affected Products: Cisco Nexus 3000 Series Switches Cisco Nexus 9000 Series Switches Prerequisites: Running in standalone NX-OS mode and configured with the BGP routing protocol. Non-Affected Products: Firepower Series, MDS 9000 Series, Nexus 5000/6000/7000 Series, UCS Series, Secure Firewall Series, etc. (See the "Products Confirmed Not Vulnerable" list on the page for details). Remediation 1. Software Upgrade: Upgrade to the software version provided by Cisco with the fix. 2. Temporary Workarounds: Discard Attribute: Add the command under the neighbor configuration that sends updates. Treat as Withdraw: Add the command under the neighbor configuration that sends updates. Disable Feature: Configure the command on the edge (PE) device receiving the attribute to disable this feature (Note: This may reduce security mechanisms). Exploit Code/Configuration Examples The page provides command-line code blocks for configuring workarounds and detecting the vulnerability: Check BGP Neighbor Status: Configure Logging to Detect Anomalies: Check Logs to Confirm Exploitation (Shows malformed as path error): Workaround Configuration Example 1 (Discard Attribute): Workaround Configuration Example 2 (Treat as Withdraw): Workaround Configuration Example 3 (Disable enforce-first-as):**

Goal Reached Thanks to every supporter — we hit 100%!

Cisco Nexus BGP DoS Vulnerability: Transitive Attribute Parsing Flaw (CVE-2025-20171)