Cisco Issues Critical Security Advisory for IOS XR Software Vulnerability, Enabling DoS Attacks
Cisco has released a security advisory addressing a critical vulnerability in its IOS XR Software, tracked as CVE-2025-20115. The flaw, which affects the Border Gateway Protocol (BGP) confederation implementation, could allow remote, unauthenticated attackers to cause memory corruption and trigger Denial of Service (DoS) conditions. This vulnerability affects Cisco devices running BGP confederation with versions 7.11 and earlier, 24.1 and earlier, and certain 24.2 releases. Cisco urges affected users to update their systems to the latest fixed software versions or implement a temporary workaround to mitigate potential attacks.
Cisco Warns of Critical Vulnerability in IOS XR Software Allowing DoS Attacks
Cisco has issued an urgent security advisory addressing a critical vulnerability in the Border Gateway Protocol (BGP) implementation in its IOS XR Software, which could allow attackers to remotely trigger a Denial of Service (DoS) condition. The flaw, tracked as CVE-2025-20115, stems from a memory corruption issue that arises when certain configurations of BGP updates are processed.
The Vulnerability:
This vulnerability, which affects versions of Cisco IOS XR Software with BGP confederation enabled, allows unauthenticated, remote attackers to exploit a buffer overflow by sending specially crafted BGP update messages. The issue is caused by the AS_CONFED_SEQUENCE attribute in BGP updates, which, when it includes 255 or more autonomous system numbers (AS numbers), can result in memory corruption.
When this memory corruption occurs, the BGP process is forced to restart, causing network disruptions and denial-of-service conditions. The attack does not require authentication, making it particularly dangerous for network operators running affected versions of IOS XR. Affected devices could experience widespread network outages, disrupting service for end-users.
Affected Products:
Cisco's IOS XR software, including versions 7.11 and earlier, 24.1 and earlier, and certain versions within the 24.2 series, are vulnerable to this issue. Any device running BGP confederation in these versions is susceptible to the exploit.
The following Cisco routers and platforms are affected:
- ASR 9000 Series
- NCS 5500 Series
- NCS 8000 Series
The Exploit Path:
To exploit this vulnerability, an attacker must either have control over a BGP confederation speaker within the same autonomous system as the target or manipulate the network's AS_CONFED_SEQUENCE attribute to grow beyond the threshold of 255 AS numbers. In either case, the attacker can send crafted BGP update messages, triggering the memory corruption and restarting the BGP process, resulting in a DoS condition.
Security Rating:
This vulnerability has been assigned a CVSS score of 8.6, classified as high severity. The potential for widespread exploitation is significant, which is why Cisco has prioritized addressing this issue.
Mitigation and Fixes:
Cisco has released software updates to address the vulnerability. Affected users are urged to upgrade to the fixed versions of IOS XR Software:
- 24.2.21 (future release)
- 24.3.1
- 24.4 (not affected)
For users unable to upgrade immediately, Cisco has provided a temporary workaround. This workaround involves restricting the BGP AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers, which can be achieved by using a routing policy that drops BGP updates with long AS path lengths. Cisco advises customers to test this workaround in their environments before deployment.
Workaround Instructions:
The workaround requires configuring a max-asns route policy to limit AS path lengths. The following configuration restricts AS paths to 254 or fewer AS numbers:
