Cisco Warns of Critical IOS XR Vulnerability Enabling DoS Attacks

Cisco has issued a security advisory warning of a vulnerability in its IOS XR Software that could allow attackers to launch denial-of-service (DoS) attacks.

 The vulnerability, identified as CVE-2025-20115, affects the Border Gateway Protocol (BGP) confederation implementation.

The CVE-2025-20115 vulnerability affects the Border Gateway Protocol (BGP) confederation implementation in Cisco IOS XR Software, potentially allowing an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition.

Overview of the vulnerability

This vulnerability arises from a memory corruption issue that occurs when a BGP update contains an AS_CONFED_SEQUENCE attribute with 255 or more autonomous system numbers.

An attacker could exploit this vulnerability by sending crafted BGP update messages or by configuring the network in such a way that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.

To exploit the vulnerability, an attacker must either control a BGP confederation speaker within the same autonomous system as the target or engineer the network to meet this specific AS path length condition.

A successful exploit can lead to memory corruption, potentially causing the BGP process to restart, which results in a DoS condition and disrupts network operations.

The vulnerability has a CVSS score of 8.6 based on CVSS:3.1 and aligns with CWE-120, Buffer Copy without Checking Size of Data.

Affected Product

Product	CVE	Advisory Link
Cisco IOS XR Software	CVE-2025-20115	Cisco Security Advisory

To exploit this vulnerability, an attacker must either control a BGP confederation speaker within the same autonomous system as the target or engineer the network so that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.

This highlights the risk of network design contributing to vulnerability.

Cisco has released software updates to address this issue. Additionally, a workaround is available by implementing a routing policy to restrict the BGP AS path length to 254 AS numbers or fewer.

While this workaround has been tested and proven effective, customers should evaluate its applicability and potential impact on their specific network environment.

This vulnerability underscores the importance of regular software updates and network configuration reviews.

Customers are advised to consult with Cisco’s technical support for tailored advice and to ensure that any updates or workarounds are suitable for their specific setup.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.