Skip to main content

SSH CVE-2025-20163

| EUVDEUVD-2025-16891 HIGH
Key Exchange without Entity Authentication (CWE-322)
2025-06-04 psirt@cisco.com
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16891
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
CVE Published
Jun 04, 2025 - 17:15 nvd
HIGH 8.7

DescriptionCVE.org

A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices.

This vulnerability is due to insufficient SSH host key validation. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on SSH connections to Cisco NDFC-managed devices, which could allow an attacker to intercept this traffic. A successful exploit could allow the attacker to impersonate a managed device and capture user credentials.

AnalysisAI

Man-in-the-middle vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) caused by insufficient SSH host key validation, allowing unauthenticated remote attackers to impersonate NDFC-managed devices and intercept SSH traffic. This vulnerability affects Cisco NDFC deployments and could lead to credential capture and device impersonation with a CVSS score of 8.7 (High). Without confirmed KEV status or public POC availability noted in standard databases, organizations should prioritize patching based on CVSS severity and the network-accessible nature of the vulnerability (AV:N).

Technical ContextAI

This vulnerability resides in the SSH protocol implementation within Cisco NDFC's device management communication layer. The root cause is classified as CWE-322 (Key Exchange in SSH (and SSH-Like) Protocols), which encompasses improper cryptographic key validation during SSH session establishment. SSH host key validation is critical for preventing MITM attacks; it ensures clients verify the server's public key against a trusted store (known_hosts or equivalent). In NDFC's case, the fabric controller likely fails to properly validate or enforce SSH host key checks when establishing connections to managed fabric devices (switches, leaf nodes, etc.). This allows an attacker positioned on the network path between NDFC and managed devices to intercept the SSH handshake, present a malicious public key, and transparently proxy traffic between legitimate parties. The CVE affects Cisco NDFC versions managing fabric devices; specific CPE identifiers would be 'cpe:2.3:a:cisco:nexus_dashboard_fabric_controller' with affected version ranges to be determined from official advisories.

RemediationAI

  1. IMMEDIATE: Consult Cisco's official security advisory for CVE-2025-20163 to identify patched versions and applicable patches for your NDFC deployment. 2. PATCHING: Apply the vendor-provided security patch to NDFC as soon as available in your maintenance window. 3. WORKAROUNDS (if patch unavailable): Restrict network access to NDFC and managed devices using network segmentation, firewall rules, or VPNs to limit MITM attack surface; disable or restrict SSH access from untrusted networks; monitor SSH traffic to/from NDFC for anomalous key exchanges. 4. VALIDATION: After patching, verify SSH host key validation is enforced by reviewing NDFC configuration (known_hosts settings, certificate pinning) and testing SSH connections from NDFC to managed devices. 5. POST-INCIDENT: Review logs for unauthorized SSH connections or credential usage if compromise is suspected. Reference: Cisco Product Security Advisories (https://tools.cisco.com/security/center/publicationListing.x), Cisco Bug Search (https://bst.cloudapps.cisco.com).

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Share

CVE-2025-20163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy