CVE-2025-20339

Vulnerability

Details

A vulnerability in the access control list (ACL) processing of IPv4 packets in Cisco SD-WAN vEdge Software could allow an unauthenticated, remote attacker to bypass a configured ACL. The root cause is the improper enforcement of the implicit deny-all rule that should be applied at the end of every ACL. This means that traffic that should be blocked by the default deny may be permitted, effectively nullifying the ACL's intended restrictions [1].

Exploitation

An attacker can exploit this vulnerability by sending unauthorized IPv4 traffic to an interface on an affected interface. No authentication is required, and the attack can be launched remotely over the network. The vulnerability exists regardless of the device's configuration, as long as it runs a vulnerable release of Cisco SD-WAN vEdge Software [1].

Impact

Successful exploitation allows an attacker to bypass the protections provided by an ACL applied on the affected device. The overall impact is organization-specific, but it could lead to unauthorized access to network resources or services that the ACL was intended to protect [1].

Mitigation

Cisco has released software updates to address this vulnerability. Workarounds are also available. Administrators are advised to upgrade to a fixed software release as indicated in the Cisco Security Advisory [1].