BugZero | Cisco BugID CSCvv78028 - Cisco IOS XE Software Zone-Based Policy Firewall I...

Symptom

A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent the Zone-Based Policy Firewall from correctly classifying traffic. This vulnerability exists because ICMP and UDP responder-to-initiator flows are not inspected when the Zone-Based Policy Firewall has either Unified Threat Defense (UTD) or Application Quality of Experience (AppQoE) configured. An attacker could exploit this vulnerability by attempting to send UDP or ICMP flows through the network. A successful exploit could allow the attacker to inject traffic through the Zone-Based Policy Firewall, resulting in traffic being dropped because it is incorrectly classified or in incorrect reporting figures being produced by high-speed logging (HSL). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-pP9jfzwL

Conditions

For information on fixed versions of software consult the Cisco IOS Software checker: https://tools.cisco.com/security/center/softwarechecker.x See Vulnerable Products Section of the advisory for full details: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-pP9jfzwL#vp

Workaround

There are no workarounds that address this vulnerability.

Further Problem Description

Please refer to the Security Advisory.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVE ID CVE-2021-1625 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html

Cisco - Defect ID: CSCvv78028

Cisco IOS XE Software Zone-Based Policy Firewall ICMP and UDP Inspection Vulnerability

Cisco - Defect ID: CSCvv78028

Cisco IOS XE Software Zone-Based Policy Firewall ICMP and UDP Inspection Vulnerability

Last updated on November 13th, 2025

BugZero Risk Score
6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

PSIRT Evaluation

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

Cisco - Defect ID: CSCvv78028

Cisco IOS XE Software Zone-Based Policy Firewall ICMP and UDP Inspection Vulnerability

Cisco - Defect ID: CSCvv78028

Cisco IOS XE Software Zone-Based Policy Firewall ICMP and UDP Inspection Vulnerability

Last updated on November 13th, 2025

BugZero Risk Score6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

PSIRT Evaluation

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.1 Medium