Hackers are targeting CVE-2020-3118 flaw in Cisco devices

Pierluigi Paganini October 21, 2020

Cisco warns of attacks attempting to exploit the CVE-2020-3118 vulnerability that affects multiple carrier-grade routers running Cisco IOS XR Software.

Cisco is warning of attacks targeting the CVE-2020-3118 high severity vulnerability that affects multiple carrier-grade routers running the Cisco IOS XR Software.

The flaw resides in the Cisco Discovery Protocol implementation for Cisco IOS XR Software and could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

“The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device.” reads the advisory. “A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device.”

Cisco experts pointed out that the flaw can be exploited by unauthenticated adjacent attackers (Layer 2 adjacent) in the same broadcast domain as the vulnerable devices.

It is listed in top 25 vulnerabilities, shared by the NSA, exploited by Chinese state-sponsored hacking groups in attacks in the wild.

The IOS XR Network OS runs on several Cisco router families including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

The vulnerability also impacts third-party white box routers and Cisco products that have the Cisco Discovery Protocol enabled both on at least one interface and globally. Below the list of impacted devices:

ASR 9000 Series Aggregation Services Routers
Carrier Routing System (CRS)
IOS XRv 9000 Router
Network Convergence System (NCS) 540 Series Routers
Network Convergence System (NCS) 560 Series Routers
Network Convergence System (NCS) 1000 Series Routers
Network Convergence System (NCS) 5000 Series Routers
Network Convergence System (NCS) 5500 Series Routers
Network Convergence System (NCS) 6000 Series Routers

Cisco addressed the CVE-2020-3118 flaw in February 2020, along with four other severe issues collectively tracked as CDPwn.

“In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild,” states the updated advisory.

“Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.”

The following table reports the fixed release for this flaw:

Cisco IOS XR Software Release	First Fixed Release for This Vulnerability
Earlier than 6.6	Appropriate SMU
6.6¹	6.6.3 or appropriate SMU
7.0	7.0.2 (Mar 2020) or appropriate SMU
7.1	Not vulnerable

The advisory includes mitigation to address the flaw, the company suggests disabling Cisco Discovery Protocol Globally and on an Interface for customers who can immediately apply the security updates.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco CVE-2020-3118 flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]

CVE-2020-3118

Pierluigi Paganini July 22, 2025

Cisco confirms active exploitation of ISE and ISE-PIC flaws

Pierluigi Paganini July 22, 2025