CVE-2020-10136

MEDIUM

Cisco NX-OS - Authentication Bypass by Spoofing via IP-in-IP Packet Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-10136. PoCs published by PapayaJackal.

AI-analyzed exploit summary This repository contains a scanner and attack suite for exploiting CVE-2020-10136, which involves insecure implementation of IP-in-IP and GRE tunneling protocols. The tools allow sending spoofed IP packets via vulnerable hosts, enabling attacks like DNS amplification DDoS.

Description

IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.

Exploits (1)

nomisec WORKING POC 11 stars
by PapayaJackal · poc
https://github.com/PapayaJackal/ipeeyoupeewepee

This repository contains a scanner and attack suite for exploiting CVE-2020-10136, which involves insecure implementation of IP-in-IP and GRE tunneling protocols. The tools allow sending spoofed IP packets via vulnerable hosts, enabling attacks like DNS amplification DDoS.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Cisco routers and other devices with IP-in-IP/GRE tunneling
No auth needed
Prerequisites: Vulnerable host with IP-in-IP or GRE tunneling enabled · Public IPv4 address for scanning · Open UDP port for receiving responses
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, US Government Resource
https://kb.cert.org/vuls/id/636397/
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/636397
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/199397

Scores

CVSS v3 5.3
EPSS 0.2646
EPSS Percentile 97.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE
CWE-290
Status published
Products (47)
cisco/nx-os 5.2\(1\)sk3\(1.1\)
cisco/nx-os 5.2\(1\)sk3\(2.1\)
cisco/nx-os 5.2\(1\)sk3\(2.1a\)
cisco/nx-os 5.2\(1\)sk3\(2.2\)
cisco/nx-os 5.2\(1\)sk3\(2.2b\)
cisco/nx-os 5.2\(1\)sm1\(5.1\)
cisco/nx-os 5.2\(1\)sm1\(5.2\)
cisco/nx-os 5.2\(1\)sm1\(5.2a\)
cisco/nx-os 5.2\(1\)sm1\(5.2b\)
cisco/nx-os 5.2\(1\)sm1\(5.2c\)
... and 37 more
Published Jun 02, 2020
Tracked Since Feb 18, 2026