Warning: multiple high & medium vulnerabilities in Cisco IOS XR Router software that can lead to Denial-of-Service, patch immediately!

Veröffentlicht : 13/03/2025

Reference:
Advisory #2025-55

Version:
1.0

Affected software:
Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers. Including Release 7.9.2.

Type:
Denial of Service; OS Command Injection; Privilege Escalation; Improper Input Validation; Classic Buffer Overflow; Allocation of Resources Without Limits or Throttling

CVE/CVSS:
CVE-2025-20138: CVSS 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVE-2025-20146: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVE-2025-20142: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVE-2025-20115: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVE-2025-20209: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2025-20141: CVSS 7.4 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdv...

Risks

On the 12th of March 2025, CISCO released five advisories about six vulnerabilities (CVE-2025-20138, CVE-2025-20146, CVE-2025-20142, CVE-2025-20115, CVE-2025-20209, CVE-2025-20141) in the Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers.

Cisco IOS XR Software is a carrier-grade, modular, and highly scalable network operating system designed for high-performance routing, automation, and service provider networks.

An attacker on the local network with low privileges could exploit CVE-2025-20138 and escalate their role privilege.

A remote attacker could exploit CVE-2025-20146, CVE-2025-20142, CVE-2025-20115, CVE-2025-20209, without requiring high privileges or any user interaction, and could cause Denial-of-Service. Similarly an attacker in the adjacent network could exploit CVE-2025-20141 with low or no privileges and without user interaction, and could cause Denial-of-Service

There are no historical events tied to these vulnerabilities. It is unknown if these vulnerabilities have been actively exploited.

CVE-2025-20138 has a high impact on all aspects of the CIA triad (Confidentiality, Integrity, Availability).

Vulnerabilities: CVE-2025-20146, CVE-2025-20142, CVE-2025-20115, CVE-2025-20209, CVE-2025-20141 have a high impact on Availability and no impact on both Confidentiality and Integrity.

Description

CVE-2025-20138:

A local-network attacker, who has been previously authenticated, with low privileges can modify OS commands using CLI by including special elements in their input. The threat actor can exploit this to escalate privileges and gain root access, which can allow them to execute any command.

CVE-2025-20146:

An unauthenticated remote threat actor can cause the line card of a CISCO router to reset by giving arbitrary code as an input which sends crafted IPv4 multicast packets through the router. This stems from the lack of proper input validation. This way the network-based attacker can cause Denial-of-Service. During the device reset, the incoming and outgoing network traffic to the router is lost.

CVE-2025-20142:

An unauthenticated threat actor can remotely cause the line card of a CISCO router to reset by giving arbitrary code as an input which sends crafted IPv4 multicast packets through the router. This stems from the lack of proper input validation, which decreases the Quality of Service (QoS) of the device. This way the network-based attacker can cause Denial-of-Service. During the device reset, the incoming and outgoing network traffic to the router is lost. CVE-2025-20142 affects mostly the Layer 2 VPN environment.

CVE-2025-20115:

A remote threat actor who has been previously authenticated can cause the program to crash or lead it to an infinite loop by modifying the Border Gateway Protocol (BGP) and copying the input buffer to an output buffer. This occurs because the program does not check the size of both buffers. This way the network-based attacker can cause Denial-of-Service..

CVE-2025-20209:

An unauthenticated remote threat actor can send malformed Internet Key Exchange version 2 (IKEv2) packets and limitlessly allocate resources to overwhelm the device and make it unable to process UDP packets. This way the network-based attacker can cause Denial-of-Service.

CVE-2025-20141:

An unauthenticated threat actor in an adjacent network can render the control plane traffic useless by directing data packets to the route processor of the device without limits. This way the attacker can cause Denial-of-Service.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-20138

https://nvd.nist.gov/vuln/detail/CVE-2025-20146

https://nvd.nist.gov/vuln/detail/CVE-2025-20142

https://nvd.nist.gov/vuln/detail/CVE-2025-20115

https://nvd.nist.gov/vuln/detail/CVE-2025-20209

https://nvd.nist.gov/vuln/detail/CVE-2025-20141