Cisco has issued a high-severity security advisory (ID: cisco-sa-ndfc-shkv-snQJtjrp) regarding a critical SSH host key validation vulnerability in its Nexus Dashboard Fabric Controller (NDFC), tracked as CVE-2025-20163.
The flaw, assigned a CVSS 3.1 base score of 8.7, could allow unauthenticated, remote attackers to impersonate Cisco NDFC-managed devices, posing significant risks to data center infrastructure.
The vulnerability is rooted in insufficient validation of SSH host keys (CWE-322: Key Exchange without Entity Authentication), enabling attackers to perform machine-in-the-middle (MitM) attacks on SSH connections to NDFC-managed devices.
By exploiting this, threat actors could intercept sensitive traffic and capture user credentials, potentially gaining unauthorized access to critical network resources.
Affected Versions and Technical Impact
The vulnerability affects all Cisco NDFC releases prior to 12.2.3, including legacy Cisco Data Center Network Manager (DCNM) versions, as well as several releases of Cisco Nexus Dashboard unified software.
The issue is not dependent on device configuration; all deployments using affected versions are at risk.
The technical weakness arises from the lack of strict SSH host key verification, which is critical for ensuring the authenticity of devices during SSH connections.
Without this validation, attackers can present rogue SSH keys and intercept or manipulate traffic between the NDFC and managed devices.
Example of SSH Host Key Verification Failure (for context):
bash@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
...
Host key verification failed.
This warning, familiar to SSH users, highlights the risk when host key validation is not properly enforced.
Affected and Fixed Releases
| Cisco Nexus Dashboard Release | Status | First Fixed Release |
|---|---|---|
| 3.1 | Affected | Migrate to fixed |
| 3.2 | Affected | 3.2(2f) |
| < 12.2.3 (NDFC) | Affected | 12.2.3 |
Starting with NDFC release 12.2.3, SSH host key verification is enforced, similar to industry best practices.
This feature is currently disabled by default for backward compatibility but is planned to be enabled by default in future releases.
There are currently no workarounds available for this vulnerability.
Cisco has released free software updates that address the issue, and customers are strongly urged to upgrade to a fixed release as soon as possible.
The fix introduces a new SSH host key verification feature, which administrators can enable to mitigate the risk of MitM attacks.
Recommended Actions:
- Upgrade NDFC to version 12.2.3 or later, or migrate to Cisco Nexus Dashboard 3.2(2f) or later.
- Validate and update SSH configurations across managed devices.
- Implement network segmentation and monitor for suspicious SSH activity as additional security measures.
Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any public exploitation or announcements regarding this vulnerability as of June 5, 2025.
However, given the high impact on confidentiality and integrity, organizations should prioritize remediation to safeguard critical infrastructure.
For more technical details, consult Cisco’s official advisory and product documentation.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
