Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.
This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.
AnalysisAI
BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.
Technical ContextAI
The affected component is the Border Gateway Protocol enforce-first-as feature in Cisco NX-OS Software (CPE: cpe:2.3:a:cisco:cisco_nx-os_software), running on Nexus 3000 and 9000 Series Switches exclusively in standalone NX-OS mode (not ACI fabric mode). The enforce-first-as feature validates that the first AS number in the BGP AS_PATH attribute matches the expected peer AS, a security control against route hijacking. The root cause is classified as CWE-670 (Always-Incorrect Control Flow Implementation), meaning the code path triggered when parsing a specific transitive BGP attribute does not follow the correct control flow, leading to an unhandled or improperly handled state that crashes the BGP session rather than discarding the malformed attribute. Because BGP UPDATE messages are transitive by nature - routers forward them to downstream peers - a single malicious injection can propagate across multiple BGP hops and trigger flaps on any NX-OS device in the propagation path that has enforce-first-as configured.
RemediationAI
The primary remediation is to apply the Cisco-released patch for NX-OS Software, with the exact fixed version to be confirmed directly from the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgp-iefab-3hb2pwtx - a specific fixed release version was not included in the available intelligence data and should not be inferred. As an immediate compensating control where patching is not immediately possible, disabling the BGP enforce-first-as feature on affected devices will remove the vulnerable code path; however, this trade-off reduces AS_PATH origin validation and may expose the device to certain BGP route manipulation techniques, so it should only be applied as a temporary measure with compensating monitoring in place. Additionally, implementing BGP route filtering and prefix-list policies to restrict which peers can send UPDATE messages, and enforcing BGP session authentication via MD5 (or TCP-AO where supported), reduces the pool of sessions through which a crafted update could be injected, though these controls do not address the underlying parsing flaw. Restricting BGP peering to known, trusted peers via ACLs on the BGP port (TCP/179) limits lateral propagation risk.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31135
GHSA-h75f-8f3x-9m8c