CVE-2025-20154
📋 TL;DR
An out-of-bounds array access vulnerability in Cisco's TWAMP server implementation allows unauthenticated remote attackers to cause device reloads (DoS) by sending crafted TWAMP control packets. Affects Cisco IOS, IOS XE, and IOS XR software with TWAMP server enabled. IOS XR only vulnerable when debug mode is enabled.
💻 Affected Systems
- Cisco IOS Software
- Cisco IOS XE Software
- Cisco IOS XR Software
📦 What is this software?
Ios by Cisco
Ios Xe by Cisco
Cisco IOS XE is Cisco's modern network operating system running on enterprise routers, switches, and wireless controllers deployed across corporate networks, data centers, branch offices, and service provider infrastructure worldwide. As the evolution of Cisco IOS, IOS XE provides a Linux-based modu...
Learn more about Ios Xe →Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete device reload causing extended network outage and service disruption
Likely Case
Intermittent device reloads causing temporary DoS until patched
If Mitigated
No impact if TWAMP server disabled or proper access controls implemented
🎯 Exploit Status
Exploitation requires sending specially crafted TWAMP control packets to vulnerable devices
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for fixed releases
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions 2. Upgrade to fixed release 3. Apply patch during maintenance window 4. Verify TWAMP functionality post-upgrade
🔧 Temporary Workarounds
Disable TWAMP Server
allDisable the TWAMP server feature if not required
no ip sla server twamp
Access Control Lists
allRestrict access to TWAMP server using ACLs
access-list 100 deny udp any any eq 862
access-list 100 permit ip any any
🧯 If You Can't Patch
- Disable TWAMP server feature if not required
- Implement strict network access controls to limit TWAMP server exposure
🔍 How to Verify
Check if Vulnerable:
Check if TWAMP server is enabled: 'show ip sla server twamp' and verify IOS/IOS XE/IOS XR version against Cisco advisoryCheck Version:
show versionVerify Fix Applied:
Verify upgraded to fixed version and TWAMP server functionality restored if needed📡 Detection & Monitoring
Log Indicators:
- Device reload messages
- TWAMP server process crashes
- ipsla_ippm_server process reloads (IOS XR)
Network Indicators:
- Unusual TWAMP control packets to port 862
- Multiple connection attempts to TWAMP server
SIEM Query:
source="cisco_router" AND (message="%SYS-5-RELOAD" OR message="%TWAMP-")