CVE-2025-20137 in IOSinfo

Summary

by MITRE • 05/07/2025

A vulnerability in the access control list (ACL) programming of Cisco IOS Software that is running on Cisco Catalyst 1000 Switches and Cisco Catalyst 2960L Switches could allow an unauthenticated, remote attacker to bypass a configured ACL.

This vulnerability is due to the use of both an IPv4 ACL and a dynamic ACL of IP Source Guard on the same interface, which is an unsupported configuration. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device.

Note: Cisco documentation has been updated to reflect that this is an unsupported configuration. However, Cisco is publishing this advisory because the device will not prevent an administrator from configuring both features on the same interface. There are no plans to implement the ability to configure both features on the same interface on Cisco Catalyst 1000 or Catalyst 2960L Switches.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/05/2025

This vulnerability exists within the access control list implementation of Cisco IOS Software running on specific Catalyst switch models including the 1000 Series and 2960L Series switches. The flaw stems from an unsupported configuration scenario where both IPv4 ACLs and dynamic ACLs through IP Source Guard functionality are simultaneously applied to the same network interface. This particular combination creates a security gap that allows unauthorized remote access bypassing the intended access controls. The vulnerability represents a critical weakness in the software's configuration validation mechanisms, as the system does not properly prevent administrators from implementing this conflicting setup despite documentation explicitly stating it as unsupported.

The technical exploitation of this vulnerability occurs through the interaction between two distinct network security mechanisms that should operate independently but become incompatible when deployed together. When both IPv4 ACLs and IP Source Guard dynamic ACLs are configured on the same interface, the system fails to properly enforce the access control policies that administrators intend to implement. This creates a scenario where packets can traverse the network device without proper authentication or authorization checks, effectively allowing attackers to circumvent the security controls that should be in place. The flaw operates at the software layer where access control decisions are made, specifically within the packet processing pipeline where ACL matching occurs.

The operational impact of this vulnerability is significant as it provides remote attackers with a method to bypass network access controls without requiring authentication credentials. This allows unauthorized network access and potentially full network penetration, as the attacker can send traffic through the affected device and bypass any configured ACL restrictions. The vulnerability affects the fundamental security posture of the network infrastructure, as it undermines the trust model that relies on proper access control enforcement. Network administrators who have configured both ACL types on the same interface may believe their security policies are properly enforced, while simultaneously allowing unauthorized access through the configuration conflict.

Mitigation strategies should focus on immediate configuration remediation to eliminate the unsupported combination of IPv4 ACLs and IP Source Guard on the same interface. Network administrators must review all switch configurations and remove either the IPv4 ACL or IP Source Guard configuration from affected interfaces to prevent exploitation. Cisco recommends implementing proper network segmentation and access control policies that do not rely on this conflicting configuration approach. The vulnerability also highlights the importance of proper configuration management and security auditing processes to prevent deployment of unsupported configurations. Organizations should implement configuration validation procedures and regular security assessments to identify and remediate similar issues before they can be exploited by threat actors.

This vulnerability aligns with CWE-693, which covers protection mechanism failures, specifically where access control mechanisms are bypassed through improper configuration. From an ATT&CK framework perspective, this represents a privilege escalation technique through configuration flaws, potentially enabling initial access or lateral movement within a network. The vulnerability demonstrates how unsupported configurations in network infrastructure can create persistent security weaknesses that may not be immediately apparent but can provide significant attack surface advantages to malicious actors. The fact that Cisco has acknowledged this as unsupported but continues to allow the configuration through the software interface indicates a gap in the platform's configuration validation and enforcement capabilities.

Responsible

Cisco

Reservation

10/10/2024

Disclosure

05/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00228

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!