CVE-2025-20209
Published: 12 March 2025
Summary
CVE-2025-20209 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Cisco Ios Xr. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 31.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely installation of Cisco software updates that fix the improper handling of malformed IKEv2 packets.
Provides denial-of-service protections such as rate limiting or throttling IKEv2 UDP traffic to limit the impact of malformed packet floods on control plane processing.
Mandates validation of IKEv2 packet syntax and semantics to reject malformed inputs before they trigger resource exhaustion and DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of malformed IKEv2 packets causing DoS via improper resource handling in the application, directly mapping to application or system exploitation for endpoint denial of service.
NVD Description
A vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets. This vulnerability is due to improper…
more
handling of malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device. A successful exploit could allow the attacker to prevent the affected device from processing any control plane UDP packets, resulting in a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Deeper analysisAI
CVE-2025-20209 is a vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software. It arises from improper handling of malformed IKEv2 packets, which could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets, resulting in a denial-of-service (DoS) condition. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated, remote attacker can exploit this vulnerability by sending malformed IKEv2 packets to an affected device. Successful exploitation would disrupt the device's ability to process control plane UDP packets, leading to a DoS condition that impacts network operations reliant on those packets.
Cisco has released software updates that address this vulnerability, as detailed in their security advisory. There are no workarounds available to mitigate the issue.
Details
- CWE(s)