Cisco IOS XR Flaw Allows Attackers to Crash BGP Process on Routers

A critical vulnerability has been discovered in Cisco's IOS XR network operating system, allowing remote attackers to crash the Border Gateway Protocol (BGP) process on routers. The vulnerability, tracked as CVE-2025-20115, can be exploited by sending a single malicious BGP update message or through misconfigured networks, causing memory corruption and denial-of-service (DoS) conditions.

Cisco IOS XR is a high-performance network operating system designed for carrier-grade and service provider routers. It is based on a microkernel architecture, providing high availability, scalability, and modularity. However, this very feature has been exploited by attackers to wreak havoc on the BGP process.

Exploitation and Impact

The vulnerability can be exploited in two ways: either by an attacker controlling a BGP confederation speaker within the same autonomous system as the victim or by designing the network such that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. When this happens, memory corruption occurs, causing the BGP process to restart and resulting in a DoS condition.

According to Cisco's Product Security Incident Response Team (PSIRT), an attacker does not need to have control over the router itself to exploit this vulnerability. The attack can be carried out remotely, making it a significant threat to network security.

Patch and Workaround

Cisco has released patches for IOS XR Software, but the company advises customers to limit the AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers as a workaround. This restriction can help reduce the attack risk if patches cannot be applied.

However, Cisco notes that this workaround may impact network performance based on specific deployment scenarios. Therefore, it is essential for customers to evaluate workarounds before deployment and test them in their environment to ensure effectiveness.

Recommendations

Cisco recommends that customers take the following steps to mitigate the risk of this vulnerability:

  • Limit AS_CONFED_SEQUENCE to 254 or fewer AS numbers to reduce attack risk if patches can’t be applied.
  • Evaluate workarounds before deployment, as they may impact network performance based on specific deployment scenarios.

Cisco's PSIRT is not aware of attacks in the wild exploiting this vulnerability. However, customers are advised to monitor their networks closely and take immediate action if any suspicious activity is detected.