Cisco Catalyst 6800 Series Switches ROM Monitor Software Secure Boot Bypass Vulnerability

Vulnerability

A hidden command in Cisco IOS ROM Monitor (ROMMON) Software for Catalyst 6800 Series Switches allows an unauthenticated local attacker to bypass Cisco Secure Boot validation checks [1]. The affected devices include those with Catalyst 6800 Series Supervisor Engine 6T, Catalyst 6840-X Series Fixed Backbone Switches, and Catalyst 6880-X Series Extensible Fixed Aggregation Switches running a vulnerable ROMMON release [1].

Exploitation

An attacker must have physical or console access to the affected device. The attacker connects via the console, forces the device into ROMMON mode, and writes a malicious pattern to a specific memory address on the device [1]. No authentication is required, and no user interaction beyond the initial console connection is needed.

Impact

A successful exploit allows the attacker to bypass signature validation checks by Cisco Secure Boot technology and load a software image that has not been digitally signed by Cisco onto the affected device [1]. This can lead to complete compromise of the device’s trusted boot chain, enabling arbitrary code execution at the firmware level.

Mitigation

Cisco has released software updates to address this vulnerability. Administrators should upgrade to a fixed ROMMON version as recommended in the Cisco Security Advisory [1]. No workarounds are available. The advisory does not indicate the vulnerability is listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.