Cyber Resilience

CVE-2025-20141

High

Published: 12 March 2025

Published
12 March 2025
Modified
06 August 2025
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0008 23.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20141 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Cisco Ios Xr. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-20141 is a vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2. It affects multiple Cisco IOS XR platforms and stems from incorrect processing of these packets by the Linux stack on the route processor. The issue has a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated, adjacent attacker could exploit this vulnerability by sending traffic that requires handling by the Linux stack on the route processor of an affected device. Successful exploitation would cause control plane traffic to stop working across the device, resulting in a denial-of-service (DoS) condition.

The Cisco security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr792-bWfVDPY provides details on this vulnerability, including affected versions and recommended mitigation steps. Additional context appears in the APNIC blog post at https://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/.

EU & UK References

Vulnerability details

A vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2 could allow an unauthenticated, adjacent attacker to cause control plane traffic to stop working…

more

on multiple Cisco IOS XR platforms.  This vulnerability is due to incorrect handling of packets that are punted to the route processor. An attacker could exploit this vulnerability by sending traffic, which must be handled by the Linux stack on the route processor, to an affected device. A successful exploit could allow the attacker to cause control plane traffic to stop working, resulting in a denial of service (DoS) condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in packet processing leads to resource exhaustion (CWE-770) enabling DoS on control plane via exploitation of the system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20209Same product: Cisco Ios Xr
CVE-2026-20103Same vendor: Cisco
CVE-2025-20115Same product: Cisco Ios Xr
CVE-2025-20172Same product: Cisco Ios Xr
CVE-2025-20175Same vendor: Cisco
CVE-2025-20171Same vendor: Cisco
CVE-2025-20174Same vendor: Cisco
CVE-2025-20169Same vendor: Cisco
CVE-2025-20176Same vendor: Cisco
CVE-2026-20105Same vendor: Cisco

Affected Assets

cisco
ios xr
7.9.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation and patching of the specific flaw in packet handling by the Linux stack on the route processor, eliminating the vulnerability root cause.

preventdetect

Implements denial-of-service protection including rate limiting and filtering for control plane punts triggered by malicious adjacent traffic.

prevent

Protects route processor resource availability from exhaustion due to unthrottled processing of punted packets matching CWE-770.

References