CVE-2025-20311

The vulnerability exists in the handling of crafted Ethernet frames by Cisco IOS XE Software on Catalyst 9000 Series Switches. The issue arises when trunk, Cisco TrustSec, or MACsec ports are enabled, leading to improper processing of certain frames. An unauthenticated, adjacent attacker can exploit this by sending specially crafted frames through an affected switch, causing the egress port to which the frame is forwarded to start dropping all frames, resulting in a denial of service (DoS) condition [1].

To exploit this, the attacker must be on the same Layer 2 network as the vulnerable switch and send crafted frames through a port that is configured as a trunk, TrustSec, or MACsec-enabled. No authentication is required, and the attack can be launched from any connected device. The impact is limited to the specific egress port, but it can disrupt outbound traffic for all devices relying on that port [1].

Cisco has released fixed software versions, with the vulnerability resolved in Cisco IOS XE Software Release 17.15.4 and later. Administrators are advised to upgrade to a patched release. If upgrading is not immediately possible, disabling trunk, TrustSec, or MACsec features on non-essential ports can mitigate the risk. Detailed instructions for verifying device configuration and applying fixes are available in the Cisco Security Advisory [1].