Cisco Nexus 3000 and 9000 Series Switches Border Gateway Protocol Denial of Service Vulnerability

MonitorCVSS 6.8cisco-sa-bgp-iefab-3hb2pwtxMay 20, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in the BGP enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches could allow an unauthenticated, remote attacker to trigger BGP peer flaps resulting in a denial of service condition. The vulnerability is caused by incorrect parsing of a transitive BGP ATTR_SET attribute. An attacker could send a crafted BGP update through an established BGP peer session; if it propagates to an affected device, the device would drop the BGP session and flap with the forwarding peer, disrupting routing availability. Cisco has released software updates that address this vulnerability. Workarounds include discarding or treating the ATTR_SET attribute as a withdraw on a per-neighbor basis, or disabling the enforce-first-as feature globally.

What this means

What could happen

An attacker could send a malicious BGP update that causes affected switches to drop BGP peer connections repeatedly, disrupting routing and network availability across your organization's backbone.

Who's at risk

Network operators and providers who run Cisco Nexus 3000 or 9000 Series Switches as BGP routers or route reflectors in their backbone or ISP networks, particularly those that accept BGP updates from external peers or untrusted ISP connections.

How it could be exploited

An attacker on the network sends a crafted BGP update containing a malicious ATTR_SET attribute through an established BGP peer session. When the update reaches an affected Nexus switch, the switch misparses the attribute, drops the BGP session with that peer, and then reconnects, causing repeated flapping that disrupts routing table stability and traffic forwarding.

Prerequisites

BGP peer session established with an affected switch
Network access to send BGP updates to the switch (typically requires direct peering relationship or compromised BGP peer)
Enforce-first-as feature enabled on the affected device (default configuration)

remotely exploitableno authentication requiredaffects network routing and availabilityrequires BGP peering relationship

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Nexus 3000 Series SwitchesAll versionsFix available

Nexus 9000 Series SwitchesAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIf patching cannot be completed immediately, add 'path-attribute discard 128 in' command under each BGP neighbor that is sending ATTR_SET attributes to prevent the malicious attribute from being parsed

WORKAROUNDAlternatively, add 'path-attribute treat-as-withdraw 128 in' under BGP neighbor configuration to discard the ATTR_SET attribute and remove affected prefixes from the routing table

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Nexus 3000 and 9000 Series Switches to the patched firmware versions released by Cisco

Long-term hardening

0/1

HARDENINGRestrict which upstream and peer networks can establish BGP sessions with your edge routers using BGP access lists and MD5 authentication

CVEs (1)

CVE-2026-20171

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/298b8c19-cccd-40ec-be6c-9079207a27bd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.