Cisco has issued a security advisory addressing a denial-of-service (DoS) vulnerability in its IOS XR Software. The vulnerability, identified as CVE-2025-20115, affects the Border Gateway Protocol (BGP) confederation implementation.
The advisory warns that the flaw could allow “an unauthenticated, remote attacker to cause a denial of service (DoS) condition“. This vulnerability arises from “a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers)“.
An attacker could exploit this vulnerability by sending a crafted BGP update message. Additionally, a network could be designed in such a way that the “AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more,” which could also trigger the vulnerability. Successful exploitation could lead to memory corruption, potentially causing the BGP process to restart and resulting in a DoS condition.
The advisory emphasizes that to exploit this vulnerability, an attacker must either control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed to allow the AS_CONFED_SEQUENCE attribute to reach 255 AS numbers or more.
At the time of publication, the vulnerability affected Cisco IOS XR Software with BGP confederation configured. To determine if a device is vulnerable, administrators can use the show running-config router bgp EXEC CLI command. If the router is configured for BGP, this command will provide output. However, the device is only considered vulnerable if the bgp confederation peers configuration command is also present in the output.
Fortunately, Cisco has provided a workaround to mitigate this vulnerability. The vulnerability exists partly because the BGP AS_CONFED_SEQUENCE attribute can have 255 AS numbers or greater. The workaround involves restricting this BGP attribute to 254 or fewer AS numbers. This can be achieved by using a routing policy to drop BGP updates with long AS path lengths on the confederation peers.
Here’s an example of a routing policy provided in the advisory:
Cisco advises customers to carefully evaluate the applicability and effectiveness of any workaround in their own environment and under their specific use conditions.
Cisco has released software updates to address this vulnerability. Here’s a summary of the affected releases and the corresponding fixes:
- Cisco IOS XR Software Release 7.11 and earlier: Migrate to a fixed release.
- Cisco IOS XR Software Release 24.1 and earlier: Migrate to a fixed release.
- Cisco IOS XR Software Release 24.2: Upgrade to version 24.2.21 (future release).
- Cisco IOS XR Software Release 24.3: Upgrade to version 24.3.1.
- Cisco IOS XR Software Release 24.4: Not affected.
Cisco’s PSIRT is aware of a public announcement about this issue. While the announcement is not specific to Cisco IOS XR Software, it highlights the broader issue of crafting endless AS-PATHs in BGP. Currently, the Cisco PSIRT is not aware of any malicious use of the vulnerability.
Cisco urges users to review the advisory and take appropriate actions to mitigate the risk.
