A high-severity vulnerability has been discovered in certain Cisco Catalyst 9000 series switches that could allow a local attacker to cause a network outage. An attacker on the same physical network could send specific network traffic that blocks a switch port, causing it to drop all outgoing data and disrupting service for all connected devices.

The vulnerability exists in the packet processing engine of Cisco IOS XE Software. An unauthenticated attacker located on the same local network segment (adjacent) can send a sequence of specially crafted Ethernet frames to a vulnerable switch. The software's failure to properly handle these frames can trigger a fault condition, forcing the targeted egress (outbound) port into a blocked state, which results in a persistent denial-of-service (DoS) as all outbound traffic through that port is dropped.

This vulnerability is rated as High severity with a CVSS score of 7.4. A successful exploit would result in a denial-of-service (DoS) condition on the affected network switch port. This can lead to a complete loss of network connectivity for critical servers, workstations, or other network segments connected to that port, causing significant operational disruption. The primary business risks include extended downtime for essential services, loss of productivity, and potential financial impact depending on the services affected by the network outage.

Immediate Action: Organizations should immediately apply the security updates provided by Cisco to all affected Catalyst 9000 Series Switches. Prior to patching, system configurations should be backed up and a rollback plan should be established in accordance with change management procedures.

Proactive Monitoring: Network and security teams should monitor for anomalous port behavior on Catalyst 9000 switches, such as ports unexpectedly entering a blocked or error-disabled state. Review switch syslog messages for errors related to packet handling or port instability. Network traffic analysis may reveal attempts to send malformed frames, although this can be difficult to detect without specialized tools.

Compensating Controls: If immediate patching is not feasible, consider implementing compensating controls. Enforce strict port security features to limit the MAC addresses that can communicate on a given port. Implement Layer 2 security controls like DHCP Snooping and Dynamic ARP Inspection to limit the capabilities of an adjacent attacker. Isolate critical systems onto separate, more tightly controlled network segments to limit the blast radius of a potential attack.

Public Exploit Available: False

Given the High severity rating (CVSS 7.4) and the potential for significant operational disruption through a denial-of-service attack, it is strongly recommended that organizations prioritize the immediate patching of all affected Cisco Catalyst 9000 Series Switches. While this vulnerability is not currently listed on the CISA KEV catalog, its low attack complexity for an adjacent attacker presents a considerable risk to network availability. Organizations should treat this as a high-priority vulnerability and apply the vendor-supplied updates as soon as possible to mitigate the risk of a network outage.