CVE-2025-20115
Published: 12 March 2025
Summary
CVE-2025-20115 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Cisco Ios Xr. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the confederation implementation of the Border Gateway Protocol (BGP) in Cisco IOS XR Software stems from memory corruption that occurs when processing a BGP update containing an AS_CONFED_SEQUENCE attribute with exactly 255 autonomous system numbers. The affected component is the BGP process within IOS XR, and the flaw is tracked under CWE-120 with a CVSS score of 8.6.
An unauthenticated remote attacker who controls a BGP confederation speaker inside the same autonomous system as the target device can send a specially crafted BGP update message to trigger the corruption. The same outcome can occur through network topology that naturally expands the AS_CONFED_SEQUENCE attribute to 255 or more entries. Successful exploitation restarts the BGP process and produces a denial-of-service condition.
The Cisco Security Advisory cisco-sa-iosxr-bgp-dos-O7stePhX and related references such as the APNIC blog on BGP AS-path manipulation provide official guidance on mitigation steps and software updates. The associated EPSS score remains low, with a current value of 0.0137 and a peak of 0.0177, indicating no significant post-disclosure increase in observed exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7287
Vulnerability details
A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to a memory corruption that occurs when…
more
a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition. To exploit this vulnerability, an attacker must control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a memory corruption flaw in the BGP process (via crafted AS_CONFED_SEQUENCE in BGP updates) to crash/restart the service, directly mapping to Application or System Exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the BGP confederation memory corruption vulnerability by identifying, reporting, and applying vendor patches to Cisco IOS XR Software.
Prevents exploitation of the buffer copy without size check (CWE-120) by validating the size and content of AS_CONFED_SEQUENCE attributes in incoming BGP updates.
Mitigates the DoS impact from crafted BGP updates causing BGP process restarts through denial-of-service protections such as rate limiting on BGP confederation peers.