EUVD-2025-16891
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3Description
A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host key validation. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on SSH connections to Cisco NDFC-managed devices, which could allow an attacker to intercept this traffic. A successful exploit could allow the attacker to impersonate a managed device and capture user credentials.
Analysis
Man-in-the-middle vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) caused by insufficient SSH host key validation, allowing unauthenticated remote attackers to impersonate NDFC-managed devices and intercept SSH traffic. This vulnerability affects Cisco NDFC deployments and could lead to credential capture and device impersonation with a CVSS score of 8.7 (High). Without confirmed KEV status or public POC availability noted in standard databases, organizations should prioritize patching based on CVSS severity and the network-accessible nature of the vulnerability (AV:N).
Technical Context
This vulnerability resides in the SSH protocol implementation within Cisco NDFC's device management communication layer. The root cause is classified as CWE-322 (Key Exchange in SSH (and SSH-Like) Protocols), which encompasses improper cryptographic key validation during SSH session establishment. SSH host key validation is critical for preventing MITM attacks; it ensures clients verify the server's public key against a trusted store (known_hosts or equivalent). In NDFC's case, the fabric controller likely fails to properly validate or enforce SSH host key checks when establishing connections to managed fabric devices (switches, leaf nodes, etc.). This allows an attacker positioned on the network path between NDFC and managed devices to intercept the SSH handshake, present a malicious public key, and transparently proxy traffic between legitimate parties. The CVE affects Cisco NDFC versions managing fabric devices; specific CPE identifiers would be 'cpe:2.3:a:cisco:nexus_dashboard_fabric_controller' with affected version ranges to be determined from official advisories.
Affected Products
Cisco Nexus Dashboard Fabric Controller (NDFC) - specific version ranges require vendor advisory consultation. The vulnerability affects NDFC installations managing Cisco fabric devices (Nexus 9000 series, MDS, etc.) via SSH. Affected CPE: cpe:2.3:a:cisco:nexus_dashboard_fabric_controller. For precise version ranges and patch availability, consult Cisco's official security advisory (typically published on Cisco Security Advisories portal or Cisco Bug Search Tool). Organizations should cross-reference their NDFC deployment versions against the official advisory to determine exposure.
Remediation
1. IMMEDIATE: Consult Cisco's official security advisory for CVE-2025-20163 to identify patched versions and applicable patches for your NDFC deployment. 2. PATCHING: Apply the vendor-provided security patch to NDFC as soon as available in your maintenance window. 3. WORKAROUNDS (if patch unavailable): Restrict network access to NDFC and managed devices using network segmentation, firewall rules, or VPNs to limit MITM attack surface; disable or restrict SSH access from untrusted networks; monitor SSH traffic to/from NDFC for anomalous key exchanges. 4. VALIDATION: After patching, verify SSH host key validation is enforced by reviewing NDFC configuration (known_hosts settings, certificate pinning) and testing SSH connections from NDFC to managed devices. 5. POST-INCIDENT: Review logs for unauthorized SSH connections or credential usage if compromise is suspected. Reference: Cisco Product Security Advisories (https://tools.cisco.com/security/center/publicationListing.x), Cisco Bug Search (https://bst.cloudapps.cisco.com).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today