DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-20262: Ghost in the Machine: Crashing Cisco Nexus PIM6 with Ephemeral Queries

#security #cve #cybersecurity

Ghost in the Machine: Crashing Cisco Nexus PIM6 with Ephemeral Queries

Vulnerability ID: CVE-2025-20262
CVSS Score: 5.0
Published: 2025-08-27

In the world of high-speed packet switching, reliability is king. Or at least, it's supposed to be. CVE-2025-20262 is a vulnerability in the Cisco Nexus 3000 and 9000 series switches that allows a low-privileged user to crash the Protocol Independent Multicast (PIM6) process simply by asking it a question it doesn't know how to answer. This creates a Denial of Service (DoS) condition that can ripple through a network, tearing down routing adjacencies and dropping IPv6 multicast traffic. It is a classic NULL pointer dereference triggered by the handling of 'ephemeral data'—operational state that exists in memory but lacks the safety rails of persistent configuration.

TL;DR

Authenticated users with low privileges can crash the PIM6 routing process on Cisco Nexus switches by sending malformed queries for ephemeral data (operational state) via management APIs like gRPC or NETCONF. This causes a NULL pointer dereference, crashing the service and disrupting IPv6 multicast traffic.

Technical Details

  • CWE ID: CWE-476 (NULL Pointer Dereference)
  • CVSS v3.1: 5.0 (Medium)
  • Attack Vector: Network (Management Interface)
  • Privileges Required: Low
  • EPSS Score: 0.00152
  • Impact: Denial of Service (DoS)

Affected Systems

  • Cisco Nexus 3000 Series Switches (Standalone NX-OS)
  • Cisco Nexus 9000 Series Switches (Standalone NX-OS)
  • Cisco NX-OS: 9.2(1) - 9.2(4) (Fixed in: See Vendor Advisory)
  • Cisco NX-OS: 9.3(1) - 9.3(14) (Fixed in: 9.3(15))
  • Cisco NX-OS: 10.2(1) - 10.2(8) (Fixed in: 10.2(9))

Exploit Details

  • Internal Analysis: Exploitation requires sending a crafted NETCONF or gRPC query targeting specific ephemeral state objects.

Mitigation Strategies

  • Upgrade NX-OS software to fixed releases immediately.
  • Restrict management interface access (NETCONF, gRPC, API) to trusted IP addresses via ACLs.
  • Monitor syslogs for 'pim6' process crashes (Signal 11).

Remediation Steps:

  1. Identify affected Nexus 3000/9000 switches using 'show version'.
  2. Download the appropriate localized patch or full image from Cisco Software Center.
  3. Perform an ISSU (In-Service Software Upgrade) if supported, or a reload upgrade during a maintenance window.
  4. Verify the fix by monitoring PIM6 stability.

References

Read the full report for CVE-2025-20262 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)