Cyber Resilience

CVE-2009-2055

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 19 August 2009

Published
19 August 2009
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0077 74.0th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-2055 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ios Xr. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 26.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Cisco IOS XR versions 3.4.0 through 3.8.1 contain an input validation flaw (CWE-20) in the handling of BGP messages. The affected component is the BGP implementation within these IOS XR releases, which fails to properly process UPDATE messages containing an invalid attribute.

Remote attackers can exploit the issue by sending a crafted BGP UPDATE message over an established session. Successful exploitation resets the BGP session, resulting in a denial of service that disrupts routing without requiring authentication or user interaction. The attack was observed in the wild on 17 August 2009.

The Cisco security advisory at http://www.cisco.com/en/US/products/products_security_advisory09186a0080af150f.shtml and related notices on SecurityTracker describe available software updates that address the vulnerability. Operators are advised to apply the recommended IOS XR patches to eliminate exposure.

The flaw received a CVSS v3 score of 5.9, reflecting high attack complexity but significant availability impact on affected routers.

EU & UK References

Vulnerability details

Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid attribute, as demonstrated in the wild on 17 August 2009.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios xr
3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of BGP UPDATE messages to reject malformed attributes before they trigger session resets.

prevent

Mandates timely application of the IOS XR patches that correct the input-validation flaw in BGP processing.

preventdetect

Requires mechanisms to detect and limit denial-of-service effects from crafted BGP messages on routing sessions.

References