Cisco has patched a denial of service (DoS) vulnerability that lets attackers crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message.
IOS XR runs on the company’s carrier-grade, Network Convergence System (NCS), and Carrier Routing System (CRS) series of routers, such as the ASR 9000, NCS 5500, and 8000 series.
This high-severity flaw (tracked as CVE-2025-20115) was found in the confederation implementation for the Border Gateway Protocol (BGP), and it only affects Cisco IOS XR devices if BGP confederation is configured.
Successful exploitation allows unauthenticated attackers to take down vulnerable devices remotely in low-complexity attacks by causing memory corruption via buffer overflow, leading to a BGP process restart.
“This vulnerability is due to a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers),” the company explains in a security advisory issued this week.
“An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.”
To exploit the CVE-2025-20115 vulnerability, “the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more,” or the attackers must have control of a BGP confederation speaker within the same autonomous system as the targeted device(s).
| Cisco IOS XR Software Release | First Fixed Release |
|---|---|
| 7.11 and earlier | Migrate to a fixed release. |
| 24.1 and earlier | Migrate to a fixed release. |
| 24.2 | 24.2.21 (future release) |
| 24.3 | 24.3.1 |
| 24.4 | Not affected. |
Those who can’t immediately apply the security patches released earlier this week are advised to restrict the BGP AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers to limit potential attacks’ impact.
“While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions,” Cisco said.
The company’s Product Security Incident Response Team (PSIRT) found no evidence that this vulnerability has been exploited in the wild, but Cisco says a write-up published in September on APNIC’s blog provides additional CVE-2025-20115 technical details.
Earlier this month, Cisco warned customers of a vulnerability in Webex for BroadWorks that can let unauthenticated attackers access credentials remotely.
The same week, CISA tagged a remote command execution security flaw impacting Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers as actively exploited in attacks and ordered U.S. federal agencies to secure any vulnerable devices by March 23.
“Cisco continues to strongly recommend that customers upgrade their hardware to Meraki or Cisco 1000 Series Integrated Services Routers to remediate these vulnerabilities,” the company urged in an advisory updated days after CISA’s order was issued.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
