Multiple vulnerabilities in Cisco IOS XR
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2025-20209 CVE-2025-20138 CVE-2025-20145 |
| CWE-ID | CWE-770 CWE-78 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Cisco IOS XR Operating systems & Components / Operating system NCS 540L Hardware solutions / Firmware NCS 1004 Hardware solutions / Firmware NCS 1010 Hardware solutions / Firmware NCS 1014 Hardware solutions / Firmware 8608 Routers Hardware solutions / Routers & switches, VoIP, GSM, etc 8804 Routers Hardware solutions / Routers & switches, VoIP, GSM, etc 8808 Routers Hardware solutions / Routers & switches, VoIP, GSM, etc 8812 Routers Hardware solutions / Routers & switches, VoIP, GSM, etc 8818 Routers Hardware solutions / Routers & switches, VoIP, GSM, etc NCS S5504 Hardware solutions / Routers & switches, VoIP, GSM, etc NCS S5508 Hardware solutions / Routers & switches, VoIP, GSM, etc NCS S5516 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU105690
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-20209
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of malformed packets in the Internet Key Exchange version 2 (IKEv2) function. A remote attacker can send specially crafted IKEv2 packets and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco IOS XR: - - 24.2
NCS 540L: All versions
NCS 1004: All versions
NCS 1010: All versions
NCS 1014: All versions
CPE2.3- cpe:2.3:o:cisco_systems:cisco_ios_xr:7.11:*:*:*:*:*:*:*
- cpe:2.3:o:cisco_systems:cisco_ios_xr:24.1:*:*:*:*:*:*:*
- cpe:2.3:o:cisco_systems:cisco_ios_xr:24.2:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_540l:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_1004:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_1010:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_1014:*:*:*:*:*:*:*:*
https://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrike-9wYGpRGq
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) OS Command Injection
EUVDB-ID: #VU105697
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20138
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco IOS XR: - - 24.3
CPE2.3 External linkshttps://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-priv-esc-GFQjxvOF
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU105696
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20145
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to certain packets are handled incorrectly when they are received on an ingress interface on one line card and destined out of an egress interface on another line card where the egress access control list (ACL) is configured. A remote attacker can bypass an egress ACL on the target device.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco IOS XR: 7.10 - 24.2
8608 Routers: All versions
8804 Routers: All versions
8808 Routers: All versions
8812 Routers: All versions
8818 Routers: All versions
NCS S5504: All versions
NCS S5508: All versions
NCS S5516: All versions
CPE2.3- cpe:2.3:h:cisco_systems:8608_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:8804_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:8808_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:8812_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:8818_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_s5504:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_s5508:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:ncs_s5516:*:*:*:*:*:*:*:*
https://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-modular-ACL-u5MEPXMm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
