Cyber Resilience

CVE-2022-20821

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 26 May 2022

Published
26 May 2022
Modified
28 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0884 92.7th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20821 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Cisco Ios Xr. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

A vulnerability in the health check RPM of Cisco IOS XR Software allows unauthenticated remote access to a Redis instance running inside the NOSi container. The issue stems from the RPM opening TCP port 6379 by default when activated, exposing the database without authentication controls. The affected component is therefore the health-check functionality within IOS XR rather than the core routing stack.

An unauthenticated remote attacker can connect directly to the exposed Redis port and perform write operations against the in-memory database, write arbitrary files inside the container filesystem, or enumerate database metadata. Because the container is sandboxed, these actions do not extend to remote-code execution or compromise of the underlying IOS XR host.

Cisco’s security advisory at tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK details mitigation steps, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.

EPSS scores rose from low values to a peak of 0.2041 before receding to the current 0.0884, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP…

more

port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios xr
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization requirements before allowing any connection to the Redis TCP port 6379.

prevent

Restricts external network traffic to the container's exposed Redis port and prevents the default open-port behavior from reaching attackers.

prevent

Disables or removes non-essential services such as the health-check RPM that opens unauthenticated ports by default.

References