Cisco has issued a high-severity advisory for a vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of NX-OS Software, affecting Cisco Nexus 3000 and 9000 Series switches. Tracked as CVE-2025-20241 with a CVSS score of high, the flaw arises from insufficient input validation when parsing ingress IS-IS packets. An unauthenticated, Layer 2-adjacent attacker could exploit this by sending a crafted IS-IS L1 or L2 packet, which forces the IS-IS process to restart and may reload the device, causing a denial-of-service (DoS) condition that disrupts routing and traffic forwarding.

The issue only impacts devices where IS-IS is actively enabled on at least one interface. Vulnerable products include the Cisco Nexus 3000 Series and Cisco Nexus 9000 Series in standalone NX-OS mode. Other Cisco offerings such as Nexus 9000 in ACI mode, Firepower appliances, MDS 9000, and UCS Fabric Interconnects are confirmed safe. The advisory emphasizes that the vulnerability requires Layer 2 adjacency, meaning attackers must be on the same broadcast domain as the target switch. Importantly, if IS-IS authentication is configured, exploitation would also require valid authentication keys.

Administrators are advised to verify whether their devices are exposed by checking for the presence of feature isis, router isis name, and at least one ip router isis name entry in the CLI configuration. Live IS-IS peers can also be monitored through CLI commands to assess current exposure. Cisco notes that there are no temporary workarounds, but enabling IS-IS area authentication can mitigate the risk by enforcing authentication requirements on IS-IS packets. However, network operators must carefully validate this mitigation to avoid interoperability issues across their routing domains.

Cisco has released free NX-OS software updates to patch this vulnerability and strongly urges customers to apply them immediately. Users with active service contracts can download the fixed software from Cisco’s Support and Downloads portal, while those without contracts may obtain the necessary patches by contacting Cisco TAC with the advisory reference and device serial number. Given the potential for attackers to trigger disruptive DoS conditions in critical environments, prompt remediation is essential to maintain network stability and operational resilience.