Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-20141

CVE-2025-20141: Cisco IOS XR Software DoS Vulnerability

CVE-2025-20141 is a denial of service vulnerability in Cisco IOS XR Software that allows adjacent attackers to disrupt control plane traffic. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-20141 Overview

CVE-2025-20141 is a denial of service (DoS) vulnerability affecting Cisco IOS XR Software Release 7.9.2 running on multiple Cisco Network Convergence System (NCS) platforms. The flaw stems from incorrect handling of specific packets punted from a line card to the route processor. An unauthenticated, adjacent attacker can send traffic that must be processed by the Linux stack on the route processor to trigger the condition. Successful exploitation halts control plane traffic, resulting in a network-impacting outage on affected devices. The vulnerability maps to [CWE-770] (Allocation of Resources Without Limits or Throttling).

Critical Impact

An adjacent attacker can stop control plane traffic on affected Cisco IOS XR platforms, producing a DoS condition across NCS 540, 550x, 5500, and 5700 series routers.

Affected Products

  • Cisco IOS XR Software Release 7.9.2
  • Cisco NCS 540 and 540X series routers
  • Cisco NCS 5500, 5501, 5502, 5504, 5508, 5516, 55A1, 55A2, 57B1, 57C1, 57C3, and 57D2 platforms

Discovery Timeline

  • 2025-03-12 - CVE-2025-20141 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-20141

Vulnerability Analysis

The vulnerability resides in the punt path between line cards and the route processor in Cisco IOS XR 7.9.2. Certain packets that reach the route processor's Linux stack are handled incorrectly, allowing an attacker to disrupt control plane processing. Because control plane traffic drives routing protocols, management, and neighbor keepalives, an outage on this path degrades or halts network operation on the affected device.

The attack requires only adjacent network access with no authentication or user interaction, but the impact is limited to availability. External research on crafted BGP AS_PATH attributes referenced by the vendor advisory suggests that malformed or expensive control plane traffic can drive punt path exhaustion on network operating systems.

Root Cause

The root cause is improper handling and resource management of punted packets destined for the route processor's Linux stack. Per [CWE-770], the affected code path processes traffic without adequate throttling or validation, allowing crafted traffic to overwhelm or wedge the control plane processing pipeline.

Attack Vector

An attacker on an adjacent network sends traffic that the line card punts to the route processor for Linux stack processing. Repeated or crafted traffic of this type causes the control plane to stop processing legitimate traffic. Exploitation does not require credentials or user interaction and can be launched from any Layer 2 or Layer 3 adjacent position that can source packets that will be punted to the RP. Technical background on crafting expensive routing protocol traffic is described in the APNIC Blog Post on BGP.

No public proof-of-concept exploit is listed for CVE-2025-20141, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities list.

Detection Methods for CVE-2025-20141

Indicators of Compromise

  • Sudden loss of routing protocol adjacencies (BGP, OSPF, IS-IS) on affected NCS platforms without a corresponding hardware fault
  • Loss of management plane reachability (SSH, SNMP, NETCONF) to the route processor while the data plane remains partially operational
  • Elevated punt path counters or drops observed via show controllers npu stats and show lpts pifib hardware police outputs

Detection Strategies

  • Monitor Local Packet Transport Services (LPTS) policer drop counters for abnormal increases from adjacent peers
  • Correlate control plane process health with syslog messages referencing punt queue congestion or Linux stack processing errors on the RP
  • Alert on rapid routing adjacency flaps clustered on a single ingress line card, which can indicate punt path abuse

Monitoring Recommendations

  • Ingest IOS XR syslog and streaming telemetry into a centralized platform and baseline punt/LPTS counters per neighbor
  • Track BGP session stability and control plane CPU on the route processor, alerting on deviations from baseline
  • Review adjacent-network peers and enforce strict prefix and AS_PATH filters to reduce the volume of unusual control plane traffic

How to Mitigate CVE-2025-20141

Immediate Actions Required

  • Identify all devices running Cisco IOS XR 7.9.2 on the affected NCS platforms listed in the vendor advisory
  • Apply the fixed IOS XR release documented in the Cisco Security Advisory
  • Restrict adjacent-network access to trusted peers only until patching is complete

Patch Information

Cisco has published fixed software in the Cisco Security Advisory cisco-sa-xr792-bWfVDPY. Operators running IOS XR 7.9.2 should upgrade to a release version identified as fixed in the advisory for their specific platform.

Workarounds

  • Apply LPTS policers to rate-limit traffic punted to the route processor from untrusted neighbors
  • Enforce control plane infrastructure ACLs (iACLs) to restrict which sources can send traffic that will be punted to the RP
  • Use BGP maximum-prefix limits, AS_PATH length filters, and neighbor authentication to reduce exposure to crafted routing traffic from adjacent peers
bash
# Configuration example: restrict punt traffic with an infrastructure ACL
# Consult the Cisco advisory for platform-specific guidance before applying
ipv4 access-list PROTECT-RP
 permit tcp host <trusted-peer> any eq bgp
 permit tcp host <trusted-peer> eq bgp any
 deny   ipv4 any any
!
control-plane
 management-plane
  inband
   interface all
    allow all peer
     address ipv4 <trusted-peer>
    !
   !
  !
 !
!

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.