Cyber Resilience

CVE-2020-3118

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 February 2020

Published
05 February 2020
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3118 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Cisco Ios Xr. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 42.3th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

A vulnerability in the Cisco Discovery Protocol implementation within Cisco IOS XR Software stems from improper validation of string input in certain CDP message fields. This flaw, tracked under CWE-134 and CWE-787, can trigger a stack overflow when processing crafted packets. The affected component is the Layer 2 CDP handler on IOS XR devices, which runs with elevated privileges.

An unauthenticated attacker positioned on the same broadcast domain can exploit the issue by transmitting a single malicious CDP packet to an adjacent device. Successful exploitation yields arbitrary code execution with administrative rights or triggers a device reload, corresponding to the CVSS 8.8 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

The Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce details the flaw and available fixes, while the CISA Known Exploited Vulnerabilities catalog lists CVE-2020-3118 as actively used in the wild. Public exploit code has also appeared on Packet Storm.

EU & UK References

Vulnerability details

A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string…

more

input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios xr
5.2.5, 6.4.2, 6.5.3, 6.6.25, 7.0.1 · 6.6.0 — 6.6.12 · 7.0.0 — 7.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the root cause of improper string validation in CDP message fields that leads to stack overflow.

prevent

Memory protection mechanisms can block exploitation of the stack overflow even when input validation fails.

prevent

Disabling CDP on interfaces where it is not required eliminates the attack surface for adjacent malicious packets.

References