Cisco has patched a denial of service (DoS) vulnerability that lets attackers crash the Border Gateway Protocol (BGP) course of on IOS XR routers with a single BGP replace message.
IOS XR runs on the corporate’s carrier-grade, Community Convergence System (NCS), and Service Routing System (CRS) collection of routers, such because the ASR 9000, NCS 5500, and 8000 collection.
This high-severity flaw (tracked as CVE-2025-20115) was discovered within the confederation implementation for the Border Gateway Protocol (BGP), and it solely impacts Cisco IOS XR gadgets if BGP confederation is configured.
Profitable exploitation permits unauthenticated attackers to take down susceptible gadgets remotely in low-complexity assaults by inflicting reminiscence corruption by way of buffer overflow, resulting in a BGP course of restart.
“This vulnerability is because of a reminiscence corruption that happens when a BGP replace is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers),” the corporate explains in a security advisory issued this week.
“An attacker might exploit this vulnerability by sending a crafted BGP replace message, or the community could possibly be designed in such a fashion that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or extra.”
To take advantage of the CVE-2025-20115 vulnerability, “the community have to be designed in such a fashion that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or extra,” or the attackers will need to have management of a BGP confederation speaker inside the similar autonomous system because the focused system(s).
| Cisco IOS XR Software program Launch | First Fastened Launch |
|---|---|
| 7.11 and earlier | Migrate to a set launch. |
| 24.1 and earlier | Migrate to a set launch. |
| 24.2 | 24.2.21 (future launch) |
| 24.3 | 24.3.1 |
| 24.4 | Not affected. |
Those that cannot instantly apply the security patches launched earlier this week are suggested to limit the BGP AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers to restrict potential assaults’ impression.
“Whereas this workaround has been deployed and was confirmed profitable in a check setting, clients ought to decide the applicability and effectiveness in their very own setting and beneath their very own use circumstances,” Cisco stated.
The corporate’s Product Safety Incident Response Workforce (PSIRT) discovered no proof that this vulnerability has been exploited within the wild, however Cisco says a write-up revealed in September on APNIC’s weblog offers extra CVE-2025-20115 technical particulars.
Earlier this month, Cisco warned clients of a vulnerability in Webex for BroadWorks that may let unauthenticated attackers entry credentials remotely.
The identical week, CISA tagged a distant command execution security flaw impacting Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers as actively exploited in assaults and ordered U.S. federal companies to safe any susceptible gadgets by March 23.
“Cisco continues to strongly suggest that clients improve their {hardware} to Meraki or Cisco 1000 Collection Built-in Companies Routers to remediate these vulnerabilities,” the corporate urged in an advisory up to date days after CISA’s order was issued.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend in opposition to them.
