Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-20142

CVE-2025-20142: Cisco IOS XR DoS Vulnerability

CVE-2025-20142 is a denial of service vulnerability in Cisco IOS XR Software affecting ASR 9000 Series routers. Attackers can cause line card resets through malformed IPv4 packets. This article covers technical details, affected systems, impact, and mitigation strategies.

Updated:

CVE-2025-20142 Overview

A vulnerability in the IPv4 access control list (ACL) feature and quality of service (QoS) policy feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition.

This vulnerability is due to the incorrect handling of malformed IPv4 packets that are received on line cards where the interface has either an IPv4 ACL or QoS policy applied. An attacker could exploit this vulnerability by sending crafted IPv4 packets through an affected device. A successful exploit could allow the attacker to cause network processor errors, resulting in a reset or shutdown of the network process. Traffic over that line card would be lost while the line card reloads.

Critical Impact

Unauthenticated remote attackers can cause line card resets on Cisco ASR 9000 Series routers, resulting in complete traffic loss across affected line cards during reload cycles. This vulnerability has predominantly been observed in Layer 2 VPN (L2VPN) environments.

Affected Products

  • Cisco IOS XR Software versions 6.7.2 through 7.10.1
  • Cisco ASR 9000 Series Aggregation Services Routers (ASR 9006, ASR 9010, ASR 9901, ASR 9904, ASR 9906, ASR 9910, ASR 9912, ASR 9922)
  • Cisco ASR 9902 Compact High-Performance Routers
  • Cisco ASR 9903 Compact High-Performance Routers

Discovery Timeline

  • March 12, 2025 - CVE-2025-20142 published to NVD
  • August 1, 2025 - Last updated in NVD database

Technical Details for CVE-2025-20142

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in the network processor handling of IPv4 packets on Cisco IOS XR devices. When an interface has an IPv4 ACL or QoS policy applied, the network processor must evaluate incoming packets against these policies. The vulnerability exists in the code path that processes malformed IPv4 packets during this evaluation.

The impact is particularly significant in Layer 2 VPN (L2VPN) environments where IPv4 ACL or QoS policies are applied to bridge virtual interfaces. In these configurations, the L2VPN service extends Layer 2 connectivity across the provider network, and any disruption to line card operations directly impacts all traffic traversing that virtual circuit.

Layer 3 configurations with IPv4 ACL or QoS policies applied are also theoretically affected, though the vulnerability has been predominantly observed in L2VPN deployments. The attack requires no authentication and can be executed remotely across the network, making it accessible to any attacker who can route packets to the affected interface.

Root Cause

The root cause is improper input validation in the Cisco IOS XR network processor when handling malformed IPv4 packets. Specifically, when a line card interface has an IPv4 ACL or QoS policy configured, the packet processing logic fails to properly validate certain malformed IPv4 packet structures. This causes the network processor to enter an error state, triggering a protective reset of the line card to prevent further damage or undefined behavior.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying target Cisco ASR 9000 Series routers running vulnerable IOS XR versions
  2. Determining interfaces with IPv4 ACL or QoS policies applied (commonly found in L2VPN configurations)
  3. Crafting and sending malformed IPv4 packets to traverse the affected interface
  4. The malformed packets trigger network processor errors on the line card
  5. The line card resets, causing traffic loss for all services on that card

The attack can be repeated to cause sustained denial of service conditions, as each successful exploit triggers a line card reload cycle.

Detection Methods for CVE-2025-20142

Indicators of Compromise

  • Unexpected line card resets or reboots on Cisco ASR 9000 Series routers
  • Network processor error messages in system logs referencing IPv4 ACL or QoS processing
  • Sudden traffic loss on L2VPN services with bridge virtual interfaces configured with ACLs or QoS policies
  • Repeated line card reload events correlating with external network traffic patterns

Detection Strategies

  • Monitor for LC/0/0/CPUx process crash or restart events in IOS XR system logs
  • Configure SNMP traps for line card state changes and network processor exceptions
  • Implement NetFlow or traffic analysis to identify anomalous IPv4 packet patterns targeting ACL/QoS-enabled interfaces
  • Review show logging output for network processor fault messages related to packet processing

Monitoring Recommendations

  • Enable syslog forwarding to a centralized SIEM for correlation of line card events across the network
  • Configure hardware monitoring to alert on unexpected line card power cycles or resets
  • Implement baseline monitoring of line card uptime and reload frequency to detect exploitation attempts
  • Monitor BGP/OSPF neighbor flaps that may indicate underlying line card instability

How to Mitigate CVE-2025-20142

Immediate Actions Required

  • Review all Cisco ASR 9000 Series routers for vulnerable IOS XR versions (6.7.2 through 7.10.1)
  • Identify interfaces with IPv4 ACL or QoS policies applied, especially in L2VPN configurations
  • Prioritize patching for devices in critical network paths or high-availability deployments
  • Consult the Cisco Security Advisory for fixed software releases

Patch Information

Cisco has released fixed software versions to address this vulnerability. Organizations should upgrade to a fixed release of Cisco IOS XR Software as specified in the Cisco Security Advisory cisco-sa-ipv4uni-LfM3cfBu. Contact Cisco TAC or refer to the advisory for specific fixed release information applicable to your deployment.

Workarounds

  • No complete workarounds are available; applying the security patch is the recommended remediation
  • Consider implementing ingress filtering at network boundaries to limit exposure to crafted packets
  • Evaluate temporarily removing IPv4 ACLs or QoS policies from critical interfaces if operationally feasible (with security trade-off considerations)
  • Deploy redundant line cards where possible to minimize impact of potential exploitation
bash
# Verify IOS XR version and identify interfaces with ACL/QoS policies
show version
show running-config interface | include "ipv4 access-group|service-policy"

# Check line card status and recent reload history
show platform
show logging | include "LC.*reset|NPU.*error"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne