Patch Cisco CDPwn remote code execution flaws

Cisco disclosed and patched five critical vulnerabilities in its setup of Cisco Discovery Protocol (CDP) on 5 February 2020, collectively dubbed "CDPwn" by security researchers. The vulnerabilities affect Catalyst switches, routers, IP phones, and UCS servers, allowing adjacent network attackers to execute arbitrary code or cause device denial of service through crafted Layer 2 CDP packets. Organizations running Cisco infrastructure must immediately deploy the February 2020 security updates and evaluate CDP configuration across their network environments.

Vulnerability Technical Analysis

The CDPwn vulnerabilities consist of five distinct flaws in Cisco's CDP setup across multiple product families. CVE-2020-3118 and CVE-2020-3119 enable remote code execution on affected devices through stack buffer overflow conditions triggered by malformed CDP packets. CVE-2020-3110, CVE-2020-3111, and CVE-2020-3120 cause denial of service through format string vulnerabilities and improper memory handling.

CDP operates at Layer 2, meaning exploitation requires adjacency on the same network segment rather than routable IP connectivity. Attackers must be able to send Ethernet frames to affected devices, typically requiring physical network access, compromised hosts on the same VLAN, or man-in-the-middle positioning. This adjacency requirement limits remote exploitation but enables devastating attacks from compromised internal positions.

The vulnerabilities exist in CDP packet parsing code that fails to properly validate field lengths and content before processing. Specially crafted CDP packets with oversized or malformed fields trigger memory corruption conditions that attackers can use for code execution. The parsing flaws affect multiple CDP message types and field structures.

Exploitation does not require authentication or any prior interaction with target devices. Attackers simply transmit malicious CDP packets to the multicast address that CDP-enabled interfaces receive. Default CDP configurations on Cisco devices make exploitation straightforward once network adjacency is achieved.

Affected Products and Scope

The CDPwn vulnerabilities affect a broad range of Cisco networking and communication products. Catalyst switches including the 4500, 6500, 9200, 9300, 9400, and 9500 series are vulnerable through their IOS XE software setups. Nexus data center switches running NX-OS are affected across multiple product lines.

Cisco IP phones including the 7800 and 8800 series contain vulnerable CDP setups in their firmware. IP phones commonly connect to access switch ports where CDP is enabled by default for automated VLAN assignment, creating direct attack paths from workstation segments to voice infrastructure.

Cisco UCS servers are vulnerable through their Integrated Management Controller (IMC) interfaces. Management network segments connecting UCS IMCs may be accessible from general infrastructure networks, exposing server management planes to CDP attacks.

Cisco routers running IOS XE software are affected, potentially enabling compromise of WAN edge devices and core routing infrastructure. Router CDP setups parse neighbor discovery packets on all enabled interfaces.

Attack Scenarios and Business Impact

Successful CDPwn exploitation could provide attackers control of Layer 2 infrastructure, enabling traffic interception, modification, or redirection without triggering perimeter security controls. Compromised switches can be reconfigured to mirror traffic, modify VLANs, or serve as pivot points for deeper network penetration.

IP telephony disruption represents immediate operational impact. Switch crashes caused by CDP exploitation can isolate voice VLANs, and IP phone compromise could enable eavesdropping on voice communications or denial of service affecting enterprise telephony.

Data center infrastructure compromise through UCS server or Nexus switch exploitation could enable attackers to access hypervisor management interfaces, storage networks, or other critical infrastructure typically isolated from general networks.

Repeated exploitation causing device crashes creates denial of service conditions affecting network availability. Switches, routers, or phones that crash and reboot disrupt dependent services and may not recover automatically if attack traffic continues.

CDP Protocol Background

Cisco Discovery Protocol is a proprietary Layer 2 protocol enabled by default on most Cisco devices. CDP enables automatic discovery of directly connected Cisco devices, providing information about device types, capabilities, software versions, and network addresses. Network management systems, IP phones, and infrastructure automation frequently rely on CDP for discovery and configuration.

CDP operates by sending periodic advertisements to multicast MAC address 01:00:0c:cc:cc:cc. All CDP-enabled devices on the same network segment receive these advertisements and maintain neighbor tables based on received information. The protocol has no authentication mechanism, meaning any device can transmit CDP packets that other devices will process.

The lack of authentication and default-enabled status make CDP an attractive attack vector when vulnerabilities exist in parsing code. Historical CDP vulnerabilities have similarly enabled denial of service and information disclosure attacks.

Mitigation and Remediation Strategy

Primary remediation requires deploying the February 5, 2020 software updates for all affected platforms. Priority should be given to internet-exposed management interfaces, inter-VLAN trunk ports, and infrastructure devices accessible from less-trusted network segments.

Where immediate patching is not feasible, disabling CDP on interfaces where neighbor discovery is not operationally required provides interim risk reduction. CDP can be disabled globally or on specific interfaces through device configuration. Document operational dependencies before disabling CDP to avoid disrupting legitimate network management or IP phone functionality.

Network segmentation can limit attack surface by isolating management interfaces and infrastructure devices from general workstation networks. Attackers require Layer 2 adjacency, so proper VLAN isolation prevents exploitation from remote network segments.

Monitor network infrastructure for unexplained device crashes or reloads that could show exploitation attempts. Configure SNMP traps and logging to capture device failure events. Investigate patterns of switch or phone reboots that could show CDP attack activity.

IP Phone Specific Considerations

IP phones present particular exposure due to their deployment patterns and CDP dependencies. Phones commonly connect to access switch ports where CDP is used for automatic voice VLAN assignment and power negotiation. This functional dependency may prevent CDP disabling without disrupting phone provisioning.

Update IP phone firmware to patched versions through phone management systems. Prioritize phones in sensitive locations or executive areas. Test firmware updates in lab environments before broad deployment to verify compatibility with call control systems.

Voice VLAN isolation provides defense-in-depth by separating phone traffic from workstation segments. Even if workstation segment attackers cannot directly reach phones due to VLAN separation, verify that CDP traffic isolation is effective across trunk ports.

You may also find useful

Hand-picked articles on adjacent topics.

Infrastructure · Credibility 91/100 · February 5, 2020

Infrastructure — Cisco

Cisco disclosed vulnerabilities in its Trust Anchor module affecting multiple router and switch platforms. Successful exploitation requires local access, but if you are running affected firmware, you'll want to patch…

Infrastructure · Credibility 73/100 · February 11, 2020

Adobe February 2020 security updates patch Acrobat, Reader, and Framemaker

Adobe's February 2020 release addressed critical vulnerabilities across Acrobat/Reader, Framemaker, Digital Editions, and Experience Manager with fixes available on Patch Tuesday.

Infrastructure · Credibility 73/100 · February 11, 2020

Microsoft February 2020 Patch Tuesday addresses 99 CVEs

Microsoft's February 2020 Patch Tuesday fixed 99 CVEs—a big month. Critical bugs in IE, Remote Desktop, Exchange, and the Windows kernel. Prioritize and deploy.

Infrastructure · Credibility 73/100 · February 18, 2020

CISA alert on ransomware disrupting natural gas compression

A U.S. natural gas compression facility got hit with ransomware and had to shut down for two days. CISA's alert makes clear that OT networks are not immune—the malware spread from IT to operations. If you are running…

Infrastructure · Credibility 91/100 · February 19, 2020

Infrastructure — VMware Workstation

VMware patched privilege escalation bugs in Workstation, Fusion, and ESXi in February 2020. VMSA-2020-0005 covers several vulnerabilities. Update your hypervisors and endpoints.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Telecom Modernization Infrastructure Guide

  Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published

February 5, 2020

Coverage pillar

Infrastructure

Source credibility

73/100 — medium confidence

Topics

Cisco · CDPwn · CVE-2020-3118 · CVE-2020-3119

Sources cited

3 sources (tools.cisco.com, iso.org)

Reading time

5 min

Documentation

1. Cisco Security Advisory: Multiple Vulnerabilities in Cisco Discovery Protocol Implementation
2. Cisco PSIRT: CDPwn Vulnerabilities
3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization