Cisco Security Advisory
Click Icon to Copy Verbose Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
-
A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.
This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgp-iefab-3hb2pwtx
-
Vulnerable Products
At the time of publication, this vulnerability affected Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode if they had the BGP routing protocol configured.
Note: The affected enforce-first-as feature is enabled by default when BGP is configured and will not be visible in the running configuration of the device. For information about disabling this feature, see the Workarounds section of this advisory.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether the device has established BGP peering sessions, use the show bgp sessions command. If the router is configured for BGP, this command will return output that shows total and established peers, as shown in the following example:
n9k# show bgp sessions
Total peers 1, established peers 1
ASN 64550
VRF default, local ASN 64550
peers 1, established peers 1, local router-id 172.16.240.122
State: I-Idle, A-Active, O-Open, E-Established, C-Closing, S-Shutdown
Neighbor ASN Flaps LastUpDn|LastRead|LastWrit St Port(L/R) Notif(S/R)
10.0.0.2 64512 0 4d03h |00:00:36|00:00:32 E 24058/179 0/0Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- MDS 9000 Series Multilayer Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Fabric Switches in ACI mode
- Secure Firewall 200 Series
- Secure Firewall 1200 Series
- Secure Firewall 3100 Series
- Secure Firewall 4200 Series
- Secure Firewall 6100 Series
- UCS 6300 Series Fabric Interconnects
- UCS 6400 Series Fabric Interconnects
- UCS 6500 Series Fabric Interconnects
- UCS 6600 Series Fabric Interconnects
- UCS X-Series Direct Fabric Interconnect 9108 100G
-
The indicator of compromise for this vulnerability is BGP neighbor flapping and malformed as path error messages in the log. Make sure that BGP neighbor changes are logged through the log-neighbor-changes configuration command, as shown in the following example:
router bgp 64550
log-neighbor-changesUse the show logging last 10 command to display the last 10 log messages, as shown in the following example:
n9k# show logging last 10
2026 May 15 13:29:29 PE2 %BGP-5-ADJCHANGE: bgp-2 [64512] (default) neighbor 10.0.0.2 Up
2026 May 15 13:29:30 PE2 %BGP-5-ADJCHANGE: bgp-2 [64512] (default) neighbor 10.0.0.2 Down - sent: malformed as path error
-
There are two workarounds that address this vulnerability. If an affected device does not need to use the ATTR_SET attribute to carry customer edge (CE) attributes across the ISP network, RFC 6368 states that it is an optional attribute that can be discarded.
To discard the attribute and add or update the prefixes that are contained in the update to the routing table, add the path-attribute discard 128 in configuration command under the neighbor configuration that is sending it, as shown in the following example:
router bgp 64550
neighbor 10.0.0.2
path-attribute discard 128 inAlternatively, to discard the attribute and remove the prefixes that are contained in the update from the routing table, add the path-attribute treat-as-withdraw 128 in configuration command under the neighbor configuration that is sending it, as shown in the following example:
router bgp 64550
neighbor 10.0.0.2
path-attribute treat-as-withdraw 128 inThere is also a mitigation. To disable the enforce-first-as global BGP feature on the provider edge (PE) that is receiving the ATTR_SET attribute, configure the no enforce-first-as command, as shown in the following example. This will disable first Autonomous System Number (ASN) checking.
router bgp 64550
no enforce-first-asNote: Changing default BGP behavior on Cisco NX-OS Software by disabling this feature will prevent BGP from bringing down a peer adjacency if it receives an unexpected first Autonomous System (AS) in AS_PATH, weakening a security mechanism. To apply this policy change, BGP peers will need to be reset.
While these workarounds and this mitigation have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
Cisco considers any workarounds and mitigations (if applicable) to be temporary solutions until an upgrade to a fixed software release is available. To fully remediate this vulnerability and avoid future exposure as described in this advisory, Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.
Cisco NX-OS Software
To help customers determine their exposure to vulnerabilities in Cisco NX-OS Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps:
- Choose which advisories the tool will search—only this advisory, only advisories with a Critical or High Security Impact Rating (SIR), or all advisories.
- Choose the appropriate software.
- Choose the appropriate platform.
- Enter a release number—for example, 10.4(4) for Cisco Nexus 3000 Series Switches or 16.0(8e) for Cisco NX-OS Software in ACI mode.
- Click Check.
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode SwitchesTo determine the best release for Cisco UCS Software, see the Recommended Releases documents in the release notes for the device.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was found during the resolution of a Cisco Technical Assistance Center (TAC) support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial public release. — Final 2026-MAY-20
-
SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC). Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades, customers are advised to regularly consult the advisories for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy for more information.