What is CVE-2017-12238?

A medium-severity vulnerability in Cisco IOS for Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a denial of service. Organizations should prioritize patching to mitigate potential risks.

What is the severity of CVE-2017-12238?

CVE-2017-12238 has a severity rating of MEDIUM with a CVSS base score of 6.5.

Is CVE-2017-12238 in CISA KEV?

Yes. CVE-2017-12238 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2017-12238 | Medium Vulnerability in Cisco IOS for Catalyst 6800 Series Switches

CVE-2017-12238 is a medium-severity vulnerability affecting Cisco IOS versions 15.0 through 15.4, specifically designed for the Cisco Catalyst 6800 Series Switches. This vulnerability allows an unauthenticated, adjacent attacker to exploit a memory management issue within the Virtual Private LAN Service (VPLS) code, potentially leading to a denial of service (DoS). The attacker could create numerous VPLS-generated MAC entries, overwhelming the MAC address table, which may cause a C6800-16P10G or C6800-16P10G-XL line card to crash.

The severity of this vulnerability is underscored by its CVSS score of 6.5, indicating a medium threat level. The risk to organizations includes potential service interruptions, which can affect network availability and reliability. Given the nature of this vulnerability and its implications, organizations should prioritize patching immediately.

As of now, there is no known public exploit or proof of concept available for this vulnerability. However, it has been added to the Known Exploited Vulnerabilities (KEV) catalog as of March 2022, indicating that organizations should be vigilant and take this issue seriously. The urgency for defenders to address this vulnerability is high, especially considering its potential impact on network operations.

Organizations should ensure that their devices are configured correctly and running updated versions of Cisco IOS. Patching should be incorporated into the regular maintenance schedule to mitigate the risks associated with this vulnerability.

Vulnerability Details

The vulnerability in question pertains to the VPLS code within Cisco IOS, affecting versions 15.0 through 15.4. An unauthenticated attacker, when positioned on the adjacent network, can exploit this vulnerability to crash specific line cards, thereby causing a denial of service condition. The vulnerability stems from a memory management issue that can be triggered by creating excessive VPLS-generated MAC entries.

This vulnerability affects Cisco Catalyst 6800 Series Switches configured with VPLS and utilizing C6800-16P10G or C6800-16P10G-XL line cards as core-facing MPLS interfaces. The official CVE description provides insight into the nature of the exploit, detailing the conditions necessary for successful exploitation.

The CVSS 3.1 base score for this vulnerability is 6.5, categorized as medium severity. The attack vector is classified as adjacent network, with low attack complexity and no privileges or user interaction required. The availability impact is rated high, emphasizing the potential for significant disruption.

Technical Analysis

The root cause of this vulnerability lies within the memory management code of the VPLS implementation. Attackers may leverage this vulnerability by flooding the MAC address table with numerous entries, leading to a failure of the line card and resulting in a denial of service. The attack complexity is deemed low, with no privileges required to execute the attack, and no user interaction necessary.

The confidentiality and integrity impacts are rated as none, while the availability impact is rated as high. This indicates that the primary concern is the disruption of service rather than unauthorized access or manipulation of data.

Risk & Impact Analysis

The deployment risk associated with CVE-2017-12238 is significant for organizations using the affected Cisco Catalyst 6800 Series Switches. If exploited, this vulnerability could result in substantial operational downtime, affecting critical network services. The blast radius potential is considerable, as the attack could lead to widespread service disruption across the organization.

Organizations should prioritize patching as the urgency is classified as critical. The known exploitation status further underscores the need for immediate action to protect network integrity and availability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of Cisco IOS from 15.0 to 15.4. Organizations using Cisco Catalyst 6800 Series Switches with Supervisor Engine 6T configured for VPLS are at risk. If version information is not available, it is recommended to state that all versions prior to the vendor patch are affected.

Mitigation & Remediation

To remediate this vulnerability, organizations should apply the recommended patches provided by Cisco. It is crucial to ensure that the devices are running the latest software versions. In the absence of a patch, organizations should consider implementing workarounds such as disabling VPLS or restricting access to the affected interfaces.

Additional security measures could include network segmentation to limit the exposure of vulnerable devices and implementing monitoring tools to detect unusual traffic patterns that may indicate an ongoing attack.

Penetration testing can also help validate the effectiveness of any remediation efforts.

Detection Guidance

Monitoring logs for anomalies in MAC address table changes can help identify potential exploitation attempts. Organizations should look for sudden spikes in MAC address entries or unauthorized changes that could indicate an attempt to exploit this vulnerability.

Behavioral anomalies, such as unexpected crashes or reboots of line cards, should also be investigated. Implementing network signatures to detect unusual traffic patterns may further enhance detection capabilities.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2017-12238 highlights the ongoing challenges in network device security, particularly regarding memory management vulnerabilities. This incident exemplifies the need for organizations to adopt a proactive approach to vulnerability management and ensure timely updates and patches are applied.

As cyber threats evolve, security teams must remain vigilant and continuously assess their network configurations. The trend of vulnerabilities related to memory management issues is a reminder that even well-established technologies like Cisco IOS can harbor significant risks.

Organizations should incorporate continuous security assessments into their operational routines to identify and mitigate vulnerabilities before they can be exploited. For more insights on enhancing your security posture, refer to our vulnerability management program and consider engaging in penetration testing to stay ahead of potential threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2017-12238: Medium Vulnerability in Cisco IOS for Catalyst 6800 Series Switches