Home / Threat Intelligence bulletins / Cisco discloses vulnerability in switch models

Target Industry

Indiscriminate, opportunistic targeting.


Cisco has disclosed a vulnerability, tracked as CVE-2023-20185 (CVSSv3 Score: 7.4), which allows threat actors to interfere with encrypted traffic.


Successful exploitation of CVE-2023-20185 allows unauthenticated threat actors to read or modify intersite encrypted traffic exchanged between sites remotely. The flaw is caused by an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.

Vulnerability Detection

A security patch has yet to be released by Cisco. As such, users should adhere to the recommended steps outlined within the ‘Containment, Mitigations & Remediations’ section of the bulletin below.

Affected Products

The following Cisco spine switch models are affected by CVE-2023-20185:

  • Cisco Nexus 9332C
  • Cisco Nexus 9364C
  • Cisco Nexus 9500.

It should be noted that the models above are only affected if the following criteria are met:

  • The switch must be in ACI mode
  • The switch must be part of a multi-site topology
  • CloudSec encryption must be enabled
  • The switches must be operating firmware version 14.0 or later.

Containment, Mitigations & Remediations

Cisco has yet to release software updates to remediate the CVE-2023-20185 security flaw. As such, it is strongly recommended that users of affected switches turn off the vulnerable feature.

To determine if CloudSec encryption is being used across an ACI site, navigate to Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity on the Cisco Nexus Dashboard Orchestrator (NDO) and verify whether or not “CloudSec Encryption” is marked as “Enabled.”

To determine whether CloudSec encryption is enabled on a Cisco Nexus 9000 Series switch, implement the ‘show cloudsec sa interface all’ command T the switch command line interface. If it returns ‘Operational Status’ for any interface, CloudSec encryption is toggled on.

Threat Landscape

Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Defence Evasion Technique:

T1600 – Weaken Encryption


An Intelligence Terminology Yardstick to showing the likelihood of events