CVE-2025-20141
Published: 12 March 2025
Summary
CVE-2025-20141 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Cisco Ios Xr. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation and patching of the specific flaw in packet handling by the Linux stack on the route processor, eliminating the vulnerability root cause.
Implements denial-of-service protection including rate limiting and filtering for control plane punts triggered by malicious adjacent traffic.
Protects route processor resource availability from exhaustion due to unthrottled processing of punted packets matching CWE-770.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in packet processing leads to resource exhaustion (CWE-770) enabling DoS on control plane via exploitation of the system.
NVD Description
A vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2 could allow an unauthenticated, adjacent attacker to cause control plane traffic to stop working…
more
on multiple Cisco IOS XR platforms. This vulnerability is due to incorrect handling of packets that are punted to the route processor. An attacker could exploit this vulnerability by sending traffic, which must be handled by the Linux stack on the route processor, to an affected device. A successful exploit could allow the attacker to cause control plane traffic to stop working, resulting in a denial of service (DoS) condition.
Deeper analysisAI
CVE-2025-20141 is a vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2. It affects multiple Cisco IOS XR platforms and stems from incorrect processing of these packets by the Linux stack on the route processor. The issue has a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated, adjacent attacker could exploit this vulnerability by sending traffic that requires handling by the Linux stack on the route processor of an affected device. Successful exploitation would cause control plane traffic to stop working across the device, resulting in a denial-of-service (DoS) condition.
The Cisco security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr792-bWfVDPY provides details on this vulnerability, including affected versions and recommended mitigation steps. Additional context appears in the APNIC blog post at https://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/.
Details
- CWE(s)