Cisco Catalyst 9500X and 9600X Series Switches Access Control List Bypass Vulnerability

A vulnerability exists in the access control list (ACL) management of Cisco IOS XE Software on Catalyst 9500X and 9600X Series Switches. It allows an unauthenticated, remote attacker to bypass configured egress ACLs on affected devices. This issue arises when traffic from an unlearned MAC address floods a switch virtual interface (SVI) with an applied egress ACL. Exploitation can cause the VLAN to clear its MAC address table, potentially allowing the attacker to circumvent the ACL. This vulnerability is present in several different versions of Cisco IOS XE Software.

Impact

Exploitation of this vulnerability could lead to unauthorized bypassing of egress ACLs on affected switches, allowing for unfiltered traffic management.

Remediation

Cisco has released software updates to address this vulnerability. Instructions for upgrading can be found on the Cisco Support and Downloads page. For customers without a Cisco service contract, upgrades can be obtained by contacting the Cisco Technical Assistance Center (TAC).