Cisco Switches Vulnerability: The Uninvited Guest Bypassing ACLs!

Cisco’s ACL programming has a vulnerability that could let a remote attacker bypass the security on Catalyst 9500X and 9600X Series Switches. The problem arises when traffic floods from an unlearned MAC address. Cisco has patched this trick, so update your software now or risk your switch becoming a comedian’s punchline!

1P
Published: September 24, 2025 4:15 pmAdded: September 24, 2025 at 9:31 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Oh Cisco, you had one job: keep the folks out who aren’t supposed to be in! Yet, here we are, with hackers potentially waltzing through the back door thanks to a MAC address table that’s as confused as a toddler in a candy store. But hey, at least there’s an update to save the day (and our networks) from becoming cyber Swiss cheese!

Key Points:

  • A vulnerability in Cisco IOS XE Software for Catalyst 9500X and 9600X Series Switches allows ACL bypass.
  • The issue is triggered by unlearned MAC address traffic flooding a switch virtual interface (SVI).
  • Potential for exploitation if the MAC address table is full or gets flushed.
  • Cisco has released software updates and workarounds to fix the issue.
  • Vulnerability affects devices with an egress ACL configured on an SVI using a vulnerable software version.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?