Pierluigi Paganini
March 15, 2025
Cisco has addressed a denial of service (DoS) vulnerability, tracked as CVE-2025-20115, that could allow an unauthenticated, remote attacker to crash the Border Gateway Protocol (BGP) process on IOS XR routers by sending a single BGP update message.
IOS XR is a network operating system developed by Cisco for carrier-grade and service provider routers. It is based on a microkernel architecture, designed for high availability, scalability, and modularity.
An attacker can exploit this flaw with a crafted BGP update or a misconfigured network, causing memory corruption and a DoS by restarting the BGP process. Exploitation requires attacker control of a BGP confederation speaker or an AS_CONFED_SEQUENCE attribute reaching 255 AS numbers.
“A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.” reads the advisory. “This vulnerability is due to a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition. To exploit this vulnerability, an attacker must control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.”
The vulnerability CVE-2025-20115 impacts Cisco IOS XR Software if BGP confederation is configured.
The vulnerability does not impact IOS Software, IOS XE Software, NX-OS Software.
Below are the vulnerable versions:
| Cisco IOS XR Software Release | First Fixed Release |
|---|---|
| 7.11 and earlier | Migrate to a fixed release. |
| 24.1 and earlier | Migrate to a fixed release. |
| 24.2 | 24.2.21 (future release) |
| 24.3 | 24.3.1 |
| 24.4 | Not affected. |
Limit AS_CONFED_SEQUENCE to 254 or fewer AS numbers to reduce attack risk if patches can’t be applied.
“There is a workaround that addresses this vulnerability. This vulnerability exists partly because the BGP AS_CONFED_SEQUENCE attribute is 255 AS numbers or greater. The workaround is to restrict this BGP attribute to 254 or fewer AS numbers.” continues the report. “While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions.”
The IT giant recommends evaluating workarounds before deployment, as they may impact network performance based on specific deployment scenarios.
The company’s Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco IOS XR)
