CVE-2025-20142
📋 TL;DR
This vulnerability in Cisco IOS XR Software allows unauthenticated remote attackers to cause line card resets by sending crafted IPv4 packets to interfaces with IPv4 ACL or QoS policies applied. This results in denial of service as traffic over the affected line card is lost during reload. Organizations using Cisco ASR 9000/9900 series routers with these features enabled are affected.
💻 Affected Systems
- Cisco ASR 9000 Series Aggregation Services Routers
- Cisco ASR 9902 Compact High-Performance Routers
- Cisco ASR 9903 Compact High-Performance Routers
📦 What is this software?
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Multiple line cards could be simultaneously reset across multiple routers, causing widespread network outages and service disruption.
Likely Case
Targeted line card resets causing localized DoS affecting specific network segments or services, particularly in L2VPN environments.
If Mitigated
Limited to single line card impact with rapid failover to redundant paths if network architecture includes redundancy.
🎯 Exploit Status
Requires crafting specific malformed IPv4 packets and sending them to vulnerable interfaces. No authentication needed, but attacker must reach affected interfaces.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cisco IOS XR Software 7.11.2 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4uni-LfM3cfBu
Restart Required: No
Instructions:
1. Download Cisco IOS XR Software 7.11.2 or later from Cisco Software Center. 2. Follow standard IOS XR upgrade procedures. 3. No line card or router reload required for patch application.
🔧 Temporary Workarounds
Remove IPv4 ACL/QoS policies from interfaces
allTemporarily remove IPv4 access control lists or quality of service policies from all interfaces to eliminate attack surface.
no ipv4 access-group ACL_NAME in/out
no service-policy input/output POLICY_NAME
Implement interface filtering
allUse infrastructure ACLs or firewall rules to restrict traffic to vulnerable interfaces from untrusted sources.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to vulnerable interfaces
- Deploy intrusion prevention systems with signatures for malformed IPv4 packets
🔍 How to Verify
Check if Vulnerable:
Check IOS XR version with 'show version' and verify if interfaces have IPv4 ACLs or QoS policies applied using 'show running-config interface'.Check Version:
show version | include Cisco IOS XR SoftwareVerify Fix Applied:
Confirm IOS XR version is 7.11.2 or later with 'show version' and verify patch is installed via 'show install active summary'.📡 Detection & Monitoring
Log Indicators:
- Line card reset messages in system logs
- Network processor error messages
- Unexpected interface state changes
Network Indicators:
- Sudden traffic drops on specific interfaces
- Increased packet loss on affected line cards
- Unusual malformed IPv4 packets to router interfaces
SIEM Query:
source="router_logs" AND ("line card reset" OR "network processor error" OR "%PKT_INFRA-3-UNEXPECTED_PACKET")