CVE-2025-20115
Published: 12 March 2025
Summary
CVE-2025-20115 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Cisco Ios Xr. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the BGP confederation memory corruption vulnerability by identifying, reporting, and applying vendor patches to Cisco IOS XR Software.
Prevents exploitation of the buffer copy without size check (CWE-120) by validating the size and content of AS_CONFED_SEQUENCE attributes in incoming BGP updates.
Mitigates the DoS impact from crafted BGP updates causing BGP process restarts through denial-of-service protections such as rate limiting on BGP confederation peers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a memory corruption flaw in the BGP process (via crafted AS_CONFED_SEQUENCE in BGP updates) to crash/restart the service, directly mapping to Application or System Exploitation for DoS.
NVD Description
A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to a memory corruption that occurs when…
more
a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition. To exploit this vulnerability, an attacker must control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more.
Deeper analysisAI
CVE-2025-20115 is a vulnerability in the confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software. The issue stems from memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute containing 255 autonomous system numbers (ASNs). Published on 2025-03-12, it is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-120 (Buffer Copy without Checking Size of Input).
An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted BGP update message, or it could be triggered if the network is designed such that the AS_CONFED_SEQUENCE attribute grows to 255 ASNs or more. To succeed, the attacker must control a BGP confederation speaker within the same autonomous system as the victim. Exploitation causes memory corruption, which may restart the BGP process and result in a denial-of-service (DoS) condition.
Mitigation details are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bgp-dos-O7stePhX. Additional technical context on crafting such AS paths appears in the APNIC blog post at https://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/.
Details
- CWE(s)