High-severity vulnerability CVE-2025-20111 is related to Nexus 9k standalone mode and could allow an unauthenticated, adjacent attacker to cause the device to reload unexpectedly, resulting in a denial-of-service (DoS) condition.

This vulnerability is due to the incorrect handling of specific Ethernet frames. An attacker could exploit this vulnerability by sending a sustained rate of crafted Ethernet frames to an affected device. A successful exploit could allow the attacker to cause the device to reload.

Workaround is available but implementing the workaround on those releases may result in prolonged control plane instability

Only below Nexus 9k device models are affected:

• Nexus 9200 Series Switches in standalone NX-OS mode
• Nexus 9300 Series Switches in standalone NX-OS mode
• Nexus 9400 Series Switches in standalone NX-OS mode

9300 switches affected version list.

10.2.7

10.2.6

9.3.7a

9.3.7

9.2.4 is not affected.

There is a workaround that addresses this vulnerability. However, the workaround is not recommended for Cisco NX-OS Software releases that do not include a fix for Field Notice FN72433.

Implementing the workaround on those releases may result in prolonged control plane instability.

To stop the device from reloading when the diagnostic test L2ACLRedirect repeatedly fails, use the following configuration commands to override the default test behavior and only log failures:

nxos# configure
nxos(config)# event manager applet l2acl_override override __L2ACLRedirect
nxos(config-applet)# action 1 syslog priority emergencies msg l2aclFailed

While this workaround has been deployed and was proven successful in a test environment.

Regards