A flaw in Cisco Nexus 3000 and 9000 Series switches that use the enforce‑first‑as feature in NX‑OS can be triggered by an unauthenticated, remote attacker in order to cause BGP peer flaps. The vulnerability is caused by incorrect parsing of a transitive BGP attribute; a crafted BGP update received over an established BGP peer session can lead the device to drop the session and repeatedly flap with the peer, denying availability of the switch for BGP routing traffic. The impact is limited to a denial of service on the affected device, not to disclosure of data or remote code execution. The weakness corresponds to CWE‑670, a flaw in protocol parsing.

Affected are Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches that run NX‑OS in standalone mode and have the enforce‑first‑as feature enabled. No specific firmware versions are listed in the advisory, so all current versions that support this feature are potentially impacted.

The CVSS score of 6.8 indicates a medium severity. No EPSS score is available, so the current exploitation probability is unknown, but the vulnerability is already public and documented by Cisco. It is not present in the CISA KEV catalog yet. Externally, an attacker could send a crafted BGP update over an existing BGP peering session and trigger the DoS. No privileged access is required and the threat can be delivered over the network between BGP peers.