Critical Cisco IOS XR Flaw Allows Attackers to Crash BGP Process on Routers

TL;DR

A severe vulnerability, CVE-2025-20115, in Cisco IOS XR Software allows unauthenticated attackers to crash the BGP process on routers by exploiting a flaw in BGP confederation handling. This can lead to denial-of-service (DoS) conditions, impacting network stability. Cisco has released patches and workarounds to mitigate this issue.

Critical Cisco IOS XR Flaw Allows Attackers to Crash BGP Process on Routers

Cisco has addressed a critical denial-of-service (DoS) vulnerability, tracked as CVE-2025-20115, which allows unauthenticated, remote attackers to crash the Border Gateway Protocol (BGP) process on IOS XR routers by sending a single, crafted BGP update message. This flaw poses a significant threat to network stability and security.

Understanding the Vulnerability

IOS XR is a network operating system developed by Cisco for carrier-grade and service provider routers. It is designed with a microkernel architecture, prioritizing high availability, scalability, and modularity. The vulnerability arises from a memory corruption issue when a BGP update is created with an AS_CONFED_SEQUENCE attribute containing 255 autonomous system (AS) numbers.

An attacker can exploit this flaw by sending a crafted BGP update message or by configuring the network such that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers. This can cause memory corruption and subsequent restart of the BGP process, leading to a DoS condition. For successful exploitation, the attacker must control a BGP confederation speaker within the same autonomous system as the victim.

Impact and Mitigation

The vulnerability affects Cisco IOS XR Software if BGP confederation is configured. It does not impact IOS Software, IOS XE Software, or NX-OS Software. The following versions are affected:

• Cisco IOS XR Software Release 7.11 and earlier: Migrate to a fixed release.
• Cisco IOS XR Software Release 24.1 and earlier: Migrate to a fixed release.
• Cisco IOS XR Software Release 24.2: Fixed in release 24.2.21 (future release).
• Cisco IOS XR Software Release 24.3: Fixed in release 24.3.1.
• Cisco IOS XR Software Release 24.4: Not affected.

To mitigate the risk, Cisco recommends limiting the AS_CONFED_SEQUENCE to 254 or fewer AS numbers if patches cannot be applied immediately. This workaround has been tested successfully in controlled environments, but customers should evaluate its applicability and effectiveness in their specific network conditions.

Cisco’s Advisory

Cisco’s advisory states:

“A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition.”

Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any attacks exploiting this vulnerability in the wild. However, they recommend evaluating the workarounds before deployment, as they may impact network performance based on specific deployment scenarios.

Conclusion

The discovery and patching of CVE-2025-20115 highlight the importance of regular software updates and vigilant network monitoring. Organizations using Cisco IOS XR Software should prioritize applying the necessary patches and implementing recommended workarounds to safeguard their networks from potential DoS attacks.

For further insights, check:

• Cisco Security Advisory
• Pierluigi Paganini on Security Affairs

Follow for more updates:

• Twitter
• Facebook
• Mastodon
• LinkedIn