Cisco has recently addressed a critical denial of service (DoS) vulnerability that affects the Border Gateway Protocol (BGP) process on IOS XR routers. This vulnerability, tracked as CVE-2025-20115, could potentially allow remote attackers to crash the BGP process by sending a single BGP update message.
The affected software, IOS XR, is a network operating system specifically designed by Cisco for carrier-grade and service provider routers, known for its high availability, scalability, and modularity due to its microkernel architecture.
Exploiting this vulnerability involves sending a crafted BGP update message or exploiting a misconfigured network, which can lead to memory corruption and subsequently crash the BGP process, resulting in a denial of service. The attacker needs control of a BGP confederation speaker or an AS_CONFED_SEQUENCE attribute reaching 255 AS numbers for successful exploitation.
According to Cisco’s advisory, this vulnerability exists due to memory corruption that occurs when a BGP update with an AS_CONFED_SEQUENCE attribute containing 255 autonomous system numbers (AS numbers) is created. The attacker can leverage this flaw to cause memory corruption, leading to the restart of the BGP process and causing a DoS condition.
It’s important to note that the vulnerability CVE-2025-20115 only impacts Cisco IOS XR Software if BGP confederation is configured, and it does not affect IOS Software, IOS XE Software, or NX-OS Software.
To mitigate the risk of exploitation, Cisco recommends limiting the AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers if applying patches is not feasible. Additionally, Cisco has provided a workaround that involves restricting the BGP attribute to reduce the risk of successful attacks.
Affected versions of Cisco IOS XR Software and their corresponding fixed releases are specified by Cisco for users to update and secure their systems. The company also advises evaluating workarounds before deployment to prevent any potential impact on network performance based on specific deployment scenarios.
As of now, the Product Security Incident Response Team (PSIRT) at Cisco has not received reports of the vulnerability being actively exploited in the wild.
For more updates on this and other security news, follow @securityaffairs on Twitter, Facebook, and Mastodon. The original post can be found on SecurityAffairs, covering the latest in hacking and Cisco IOS XR-related news.
In conclusion, the timely response from Cisco in addressing this critical vulnerability underscores the importance of maintaining a secure network infrastructure to prevent potential attacks and disruptions. By following the recommended steps and deploying necessary patches, organizations can enhance their cybersecurity posture and safeguard their IT environments from potential threats.