Cisco IOS XE Software for Catalyst 9000 Series Switches DHCP Snooping Denial of Service Vulnerability
Plan Patch8.6cisco-sa-bootp-WuBhNBxAMar 25, 2026
CiscoTransportation
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in DHCP snooping on Cisco Catalyst 9000 Series Switches allows an unauthenticated remote attacker to send BOOTP packets that are improperly forwarded between VLANs, causing VLAN leakage and high CPU utilization. This renders the switch unreachable and unable to forward traffic, resulting in denial of service. The vulnerability can be exploited with either unicast or broadcast BOOTP packets. Affected versions: IOS XE 16.10.1 through 17.9.8.
What this means
What could happen
An attacker can send BOOTP packets to cause VLAN leakage and spike CPU utilization on the switch, making it unreachable and unable to forward traffic. This results in a network-wide denial of service affecting all devices connected to the switch.
Who's at risk
This affects network operators, transportation authorities, and any organization running Cisco Catalyst 9000 Series Switches with DHCP snooping enabled. These switches are commonly used as core network infrastructure in utility and transit networks. Vulnerability impacts all devices connected downstream when the switch becomes unavailable.
How it could be exploited
An unauthenticated attacker with network access to the switch sends crafted BOOTP request packets (unicast or broadcast) to an affected Catalyst 9000 switch. The switch improperly handles these packets and forwards them between VLANs, causing high CPU utilization that renders the device unable to respond to management commands or forward traffic.
Prerequisites
- Network access to the Catalyst 9000 switch (Layer 2 or Layer 3)
- DHCP snooping feature is enabled on the switch
- Switch runs affected IOS XE versions (16.10.1 through 17.9.8)
remotely exploitableno authentication requiredlow complexityhigh EPSS score (8.6 CVSS)affects network availability and critical infrastructure
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
Cisco IOS XE Software for Catalyst 9000 Series Switches DHCP Snooping16.10.1 through 17.9.8Fix available
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDIf your network does not require BOOTP support, apply the command 'ip dhcp relay bootp ignore' on the affected device to block BOOTP traffic
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Cisco IOS XE to a patched version released after March 2026 that addresses DHCP snooping BOOTP handling
Long-term hardening
0/1HARDENINGImplement network access controls to restrict BOOTP traffic (UDP ports 67/68) to trusted DHCP servers and authorized networks only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8f0a249d-7999-444d-b3c2-44c723b1cb73Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.