Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability
Description
A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco IOS XR and NX-OS Software mishandle IPv6 packets, allowing unauthenticated remote attackers to bypass IPv6 ACLs.
Vulnerability
CVE-2021-1389 is an IPv6 access control list (ACL) bypass vulnerability in Cisco IOS XR Software and Cisco NX-OS Software. The issue stems from improper processing of IPv6 traffic, allowing crafted packets to evade ACL inspection. Affected versions include Cisco IOS XR releases prior to 6.6.3, 6.7.1, 7.1.1, and 7.2.1, and certain Cisco NX-OS releases (specific versions not disclosed in the available reference). [1]
Exploitation
An unauthenticated, remote attacker can exploit this vulnerability by sending crafted IPv6 packets through the affected device. No authentication or privileged access is required. The attacker only needs network connectivity to the device's interface with the vulnerable IPv6 ACL applied. [1]
Impact
Successful exploitation allows the attacker to bypass the configured IPv6 ACL, gaining unauthorized access to network resources that the ACL was intended to protect. The attack does not grant code execution or elevated privileges but compromises the intended access control. [1]
Mitigation
For Cisco IOS XR, upgrade to a fixed release: 6.6.3, 6.7.1, 7.1.1, 7.2.1, or later. For Cisco NX-OS, first upgrade to a fixed release (details available in the Cisco advisory), then apply the extension-header deny-all rule to all configured IPv6 ACLs. This rule is not enabled by default and must be manually applied. No workaround exists without upgrading. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8jmitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.