Cisco Switches Vulnerability: When Your ACL is More Like an “Open Door” Policy

Cisco Catalyst 1000 and 2960L Switches have a vulnerability in their ACL programming. Using both an IPv4 ACL and a dynamic ACL of IP Source Guard on the same interface is unsupported but not prevented. This could let attackers bypass security measures. No software updates are available, but workarounds exist.

1P
Published: May 7, 2025 4:03 pmAdded: May 7, 2025 at 9:25 amAssembled by: The Editor
Pro Dashboard

Hot Take:

It seems like Cisco’s Catalyst switches have taken the word “dynamic” a tad too literally. Who knew that unsupported configurations could be the next big trend in cybersecurity vulnerabilities? It’s like the ‘diet cola’ of configurations: shouldn’t exist, but somehow, it does!

Key Points:

  • Cisco’s Catalyst 1000 and 2960L Switches have a vulnerability in ACL programming.
  • The issue arises when using both IPv4 ACL and dynamic ACL (IP Source Guard) on the same interface.
  • Attackers can bypass configured ACLs due to this unsupported configuration.
  • Cisco’s documentation now clarifies that this setup is unsupported.
  • No software updates yet, but workarounds are available.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?