Cisco has patched a denial of provider (DoS) vulnerability that shall we attackers crash the Border Gateway Protocol (BGP) procedure on IOS XR routers with a unmarried BGP replace message.
IOS XR runs at the corporate’s carrier-grade, Community Convergence Machine (NCS), and Service Routing Machine (CRS) collection of routers, such because the ASR 9000, NCS 5500, and 8000 collection.
This high-severity flaw (tracked as CVE-2025-20115) was once discovered within the confederation implementation for the Border Gateway Protocol (BGP), and it best impacts Cisco IOS XR gadgets if BGP confederation is configured.
A hit exploitation lets in unauthenticated attackers to take down susceptible gadgets remotely in low-complexity assaults by means of inflicting reminiscence corruption by way of buffer overflow, resulting in a BGP procedure restart.
“This vulnerability is because of a reminiscence corruption that happens when a BGP replace is created with an AS_CONFED_SEQUENCE characteristic that has 255 self sustaining machine numbers (AS numbers),” the corporate explains in a safety advisory issued this week.
“An attacker may exploit this vulnerability by means of sending a crafted BGP replace message, or the community might be designed in the sort of approach that the AS_CONFED_SEQUENCE characteristic grows to 255 AS numbers or extra.”
To milk the CVE-2025-20115 vulnerability, “the community will have to be designed in the sort of approach that the AS_CONFED_SEQUENCE characteristic grows to 255 AS numbers or extra,” or the attackers will have to have keep watch over of a BGP confederation speaker inside of the similar self sustaining machine because the focused tool(s).
| Cisco IOS XR Device Liberate | First Mounted Liberate |
|---|---|
| 7.11 and previous | Migrate to a set free up. |
| 24.1 and previous | Migrate to a set free up. |
| 24.2 | 24.2.21 (long run free up) |
| 24.3 | 24.3.1 |
| 24.4 | Now not affected. |
Those that cannot right away follow the safety patches launched previous this week are suggested to limit the BGP AS_CONFED_SEQUENCE characteristic to 254 or fewer AS numbers to restrict possible assaults’ affect.
“Whilst this workaround has been deployed and was once confirmed a success in a take a look at setting, shoppers must decide the applicability and effectiveness in their very own setting and below their very own use stipulations,” Cisco mentioned.
The corporate’s Product Safety Incident Reaction Group (PSIRT) discovered no proof that this vulnerability has been exploited within the wild, however Cisco says a write-up revealed in September on APNIC’s weblog supplies further CVE-2025-20115 technical main points.
Previous this month, Cisco warned shoppers of a vulnerability in Webex for BroadWorks that may let unauthenticated attackers get entry to credentials remotely.
The similar week, CISA tagged a faraway command execution safety flaw impacting Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers as actively exploited in assaults and ordered U.S. federal companies to protected any susceptible gadgets by means of March 23.
“Cisco continues to strongly suggest that consumers improve their {hardware} to Meraki or Cisco 1000 Sequence Built-in Products and services Routers to remediate those vulnerabilities,” the corporate suggested in an advisory up to date days after CISA’s order was once issued.
In accordance with an research of 14M malicious movements, uncover the highest 10 MITRE ATT&CK ways in the back of 93% of assaults and the right way to shield in opposition to them.