Cyber Resilience

CVE-2025-20209

HighDDoS

Published: 12 March 2025

Published
12 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0056 68.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20209 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Cisco Ios Xr. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-20209 is a vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software. It arises from improper handling of malformed IKEv2 packets, which could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets, resulting in a denial-of-service (DoS) condition. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated, remote attacker can exploit this vulnerability by sending malformed IKEv2 packets to an affected device. Successful exploitation would disrupt the device's ability to process control plane UDP packets, leading to a DoS condition that impacts network operations reliant on those packets.

Cisco has released software updates that address this vulnerability, as detailed in their security advisory. There are no workarounds available to mitigate the issue.

EU & UK References

Vulnerability details

A vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets.  This vulnerability is due to improper…

more

handling of malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device. A successful exploit could allow the attacker to prevent the affected device from processing any control plane UDP packets, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote unauthenticated exploitation of malformed IKEv2 packets causing DoS via improper resource handling in the application, directly mapping to application or system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20141Same product: Cisco Ios Xr
CVE-2026-20103Same vendor: Cisco
CVE-2025-20115Same product: Cisco Ios Xr
CVE-2025-20172Same product: Cisco Ios Xr
CVE-2025-20175Same vendor: Cisco
CVE-2025-20171Same vendor: Cisco
CVE-2025-20174Same vendor: Cisco
CVE-2025-20169Same vendor: Cisco
CVE-2025-20176Same vendor: Cisco
CVE-2026-20105Same vendor: Cisco

Affected Assets

cisco
ios xr
24.1.1, 24.1.2, 24.2.1, 24.2.11, 6.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely installation of Cisco software updates that fix the improper handling of malformed IKEv2 packets.

prevent

Provides denial-of-service protections such as rate limiting or throttling IKEv2 UDP traffic to limit the impact of malformed packet floods on control plane processing.

prevent

Mandates validation of IKEv2 packet syntax and semantics to reject malformed inputs before they trigger resource exhaustion and DoS.

References