Cyber Resilience

CVE-2025-20115

High

Published: 12 March 2025

Published
12 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0137 80.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20115 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Cisco Ios Xr. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the confederation implementation of the Border Gateway Protocol (BGP) in Cisco IOS XR Software stems from memory corruption that occurs when processing a BGP update containing an AS_CONFED_SEQUENCE attribute with exactly 255 autonomous system numbers. The affected component is the BGP process within IOS XR, and the flaw is tracked under CWE-120 with a CVSS score of 8.6.

An unauthenticated remote attacker who controls a BGP confederation speaker inside the same autonomous system as the target device can send a specially crafted BGP update message to trigger the corruption. The same outcome can occur through network topology that naturally expands the AS_CONFED_SEQUENCE attribute to 255 or more entries. Successful exploitation restarts the BGP process and produces a denial-of-service condition.

The Cisco Security Advisory cisco-sa-iosxr-bgp-dos-O7stePhX and related references such as the APNIC blog on BGP AS-path manipulation provide official guidance on mitigation steps and software updates. The associated EPSS score remains low, with a current value of 0.0137 and a peak of 0.0177, indicating no significant post-disclosure increase in observed exploitation activity.

EU & UK References

Vulnerability details

A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to a memory corruption that occurs when…

more

a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition. To exploit this vulnerability, an attacker must control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables exploitation of a memory corruption flaw in the BGP process (via crafted AS_CONFED_SEQUENCE in BGP updates) to crash/restart the service, directly mapping to Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20100Same vendor: Cisco
CVE-2025-20138Same product: Cisco Ios Xr
CVE-2025-20172Same product: Cisco Ios Xr
CVE-2025-20209Same product: Cisco Ios Xr
CVE-2025-20141Same product: Cisco Ios Xr
CVE-2025-20171Same vendor: Cisco
CVE-2025-20175Same vendor: Cisco
CVE-2025-20174Same vendor: Cisco
CVE-2025-20169Same vendor: Cisco
CVE-2025-20176Same vendor: Cisco

Affected Assets

cisco
ios xr
24.1.1, 24.1.2, 24.2.1, 24.2.11, 24.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the BGP confederation memory corruption vulnerability by identifying, reporting, and applying vendor patches to Cisco IOS XR Software.

prevent

Prevents exploitation of the buffer copy without size check (CWE-120) by validating the size and content of AS_CONFED_SEQUENCE attributes in incoming BGP updates.

prevent

Mitigates the DoS impact from crafted BGP updates causing BGP process restarts through denial-of-service protections such as rate limiting on BGP confederation peers.

References