High

Denial of Service via crafted Ethernet frames in Cisco IOS XE for Catalyst 9000 Series Switches

IdentifiersCVE-2025-20311CWE-20

CVE-2025-20311 is a denial-of-service vulnerability in Cisco IOS XE Software for Catalyst 9000 Series Switches. The flaw is caused by improper handling of certain crafted Ethernet frames. An unauthenticated adjacent attacker can exploit the issue by sending specially crafted Ethernet frames through an affected switch. If successful, the exploit causes the egress port to which the crafted frame is forwarded to become blocked and to drop all outbound traffic.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes the affected egress port to start dropping all outbound frames, resulting in a denial-of-service condition for traffic traversing that port. This can disrupt network connectivity and availability for downstream systems or segments relying on the affected switch port.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround or mitigation is provided in the supplied content. In the absence of a vendor-documented workaround, the practical mitigation is to limit exposure to adjacent-layer attackers where possible and apply Cisco-provided software updates as soon as feasible.

Remediation

Patch, then assume compromise.

Cisco recommends updating affected Cisco IOS XE Software on Catalyst 9000 Series Switches in accordance with Cisco’s published advisory and device/version-specific guidance. The provided content does not include fixed release numbers, so the exact remediation version information is currently not available in the supplied material.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

kyberturvallisuuskeskus alertsNews

Sep 26, 2025

Haavoittuvuuksia Cisco IOS ja IOS XE -laitteissa | Traficom

A remote denial-of-service vulnerability affecting Cisco Catalyst 9000 devices.

kyberturvallisuuskeskus alertsNews

Sep 26, 2025

Haavoittuvuuksia Cisco IOS ja IOS XE -laitteissa | Traficom

A remote denial-of-service vulnerability affecting Cisco Catalyst 9000 devices.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-20311

NVD

nvd.nist.gov/vuln/detail/CVE-2025-20311

MITRE CWE · CWE-20

cwe.mitre.org

sec.cloudapps.cisco.com

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat9k-PtmD7bgy