LiveActive security incident?Get immediate response
CVE Record

CVE-2019-1977: Cisco Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning Vulnerability

A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances. The vulnerability is due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when Disable Remote Endpoint Learning has been enabled. This can result in a Remote (XR) entry being created for the impacted endpoint that will become stale if the endpoint migrates to a different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be relearned by another mechanism.

MediumCVSS 6.8Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This issue can make a reachable endpoint behind a Cisco Nexus 9000 ACI border leaf temporarily unreachable. The problem is not data theft or code execution; it is availability loss caused by incorrect endpoint learning under specific network conditions.

Executive priority

Treat as a moderate operational availability risk for ACI environments. Prioritize validation in data centers where endpoint reachability is business-critical or where external-to-fabric traffic reaches border leaf switches.

Technical view

In Cisco Nexus 9000 Series switches running ACI mode, improper endpoint learning can create a stale Remote XR entry when traffic enters from outside the fabric and Disable Remote Endpoint Learning is enabled. If the endpoint later migrates, traffic may not reach it until relearned.

Likely exposure

Exposure appears limited to Cisco Nexus 9000 ACI deployments using border leaf designs with Disable Remote Endpoint Learning enabled. The provided bundle does not name specific affected software versions.

Exploitation context

The CVE describes unauthenticated remote denial of service under certain circumstances. CISA KEV status is false, and the provided sources do not support active exploitation claims.

Researcher notes

The key condition is stale Remote XR endpoint state after migration, not compromise of confidentiality or integrity. Provided evidence does not include fixed versions, workarounds, or exploit reports, so remediation should be tied to Cisco advisory guidance.

Mitigation direction

  • Review Cisco advisory for affected releases and official remediation.
  • Inventory Nexus 9000 ACI border leaf deployments.
  • Confirm whether Disable Remote Endpoint Learning is enabled.
  • Prioritize vendor-recommended upgrades or mitigations where applicable.
  • Monitor for endpoint reachability failures after endpoint migration.

Validation and detection

  • Confirm switches are Cisco Nexus 9000 running ACI mode.
  • Identify border leaf switches receiving traffic from outside the fabric.
  • Check whether Disable Remote Endpoint Learning is enabled.
  • Review incidents where migrated endpoints became unreachable.
  • Compare deployed software versions against Cisco advisory guidance.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-371: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-1977 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.8 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.8CVSS 3.0MediumCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H2.24Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

6.8Medium
CVSS 3.0 vector shape for CVE-2019-1977Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Nexus 9000 Series Fabric Switches in ACIunspecifiedListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-371 · source CWE mapping

State Issues

State Issues represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.