Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices.
This vulnerability is due to insufficient SSH host key validation. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on SSH connections to Cisco NDFC-managed devices, which could allow an attacker to intercept this traffic. A successful exploit could allow the attacker to impersonate a managed device and capture user credentials.
AnalysisAI
Man-in-the-middle vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) caused by insufficient SSH host key validation, allowing unauthenticated remote attackers to impersonate NDFC-managed devices and intercept SSH traffic. This vulnerability affects Cisco NDFC deployments and could lead to credential capture and device impersonation with a CVSS score of 8.7 (High). Without confirmed KEV status or public POC availability noted in standard databases, organizations should prioritize patching based on CVSS severity and the network-accessible nature of the vulnerability (AV:N).
Technical ContextAI
This vulnerability resides in the SSH protocol implementation within Cisco NDFC's device management communication layer. The root cause is classified as CWE-322 (Key Exchange in SSH (and SSH-Like) Protocols), which encompasses improper cryptographic key validation during SSH session establishment. SSH host key validation is critical for preventing MITM attacks; it ensures clients verify the server's public key against a trusted store (known_hosts or equivalent). In NDFC's case, the fabric controller likely fails to properly validate or enforce SSH host key checks when establishing connections to managed fabric devices (switches, leaf nodes, etc.). This allows an attacker positioned on the network path between NDFC and managed devices to intercept the SSH handshake, present a malicious public key, and transparently proxy traffic between legitimate parties. The CVE affects Cisco NDFC versions managing fabric devices; specific CPE identifiers would be 'cpe:2.3:a:cisco:nexus_dashboard_fabric_controller' with affected version ranges to be determined from official advisories.
RemediationAI
- IMMEDIATE: Consult Cisco's official security advisory for CVE-2025-20163 to identify patched versions and applicable patches for your NDFC deployment. 2. PATCHING: Apply the vendor-provided security patch to NDFC as soon as available in your maintenance window. 3. WORKAROUNDS (if patch unavailable): Restrict network access to NDFC and managed devices using network segmentation, firewall rules, or VPNs to limit MITM attack surface; disable or restrict SSH access from untrusted networks; monitor SSH traffic to/from NDFC for anomalous key exchanges. 4. VALIDATION: After patching, verify SSH host key validation is enforced by reviewing NDFC configuration (known_hosts settings, certificate pinning) and testing SSH connections from NDFC to managed devices. 5. POST-INCIDENT: Review logs for unauthorized SSH connections or credential usage if compromise is suspected. Reference: Cisco Product Security Advisories (https://tools.cisco.com/security/center/publicationListing.x), Cisco Bug Search (https://bst.cloudapps.cisco.com).
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-322 – Key Exchange without Entity Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16891