{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nexus-9000-series-switches/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nexus 3000 Series Switches","Nexus 9000 Series Switches"],"_cs_severities":["medium"],"_cs_tags":["bgp","dos","cisco","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA vulnerability exists in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches when operating in standalone NX-OS mode. Successful exploitation of this vulnerability could lead to a denial-of-service (DoS) condition. The vulnerability stems from the incorrect parsing of a transitive BGP attribute. Cisco has released software updates and workarounds to address this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated, remote attacker establishes a BGP peer session with a vulnerable Cisco Nexus switch.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP update containing a malformed transitive BGP attribute.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted BGP update to the targeted Cisco Nexus switch via the established BGP peer session.\u003c/li\u003e\n\u003cli\u003eThe vulnerable switch attempts to parse the malformed transitive BGP attribute within the update.\u003c/li\u003e\n\u003cli\u003eDue to the incorrect parsing logic, the device experiences an error condition.\u003c/li\u003e\n\u003cli\u003eThe device drops the BGP session with the peer that forwarded the update.\u003c/li\u003e\n\u003cli\u003eThe BGP session repeatedly flaps (goes up and down) with the peer.\u003c/li\u003e\n\u003cli\u003eContinuous BGP session flapping results in a denial-of-service condition, disrupting network routing and connectivity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20171 results in a denial-of-service condition, impacting the availability of network services. The affected Cisco Nexus switches, if exploited, will drop BGP sessions and flap with neighboring BGP peers, causing routing instability. This can lead to network outages and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the software updates released by Cisco to address CVE-2026-20171 on all affected Cisco Nexus 3000 Series and 9000 Series Switches to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the workarounds provided by Cisco as a temporary mitigation measure if immediate patching is not feasible.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual BGP update patterns that may indicate exploitation attempts, triggering the rules below to detect potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T16:02:17Z","date_published":"2026-05-20T16:02:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cisco-nexus-bgp-dos/","summary":"CVE-2026-20171 describes a vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches that could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial-of-service (DoS) condition.","title":"Cisco Nexus 3000 and 9000 Series Switches BGP Denial of Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cisco-nexus-bgp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Nexus 9000 Series Switches","version":"https://jsonfeed.org/version/1.1"}