Full Report
Cisco has patched a denial of service (DoS) vulnerability that lets attackers crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message. [...]
Analysis Summary
# Vulnerability: BGP Crash in Cisco IOS XR via AS\_CONFED\_SEQUENCE Attribute
## CVE Details
- CVE ID: CVE-2025-20115 (Inferred from context mentioning a specific technical write-up related to this vulnerability, though an official CVE ID isn't explicitly listed in the headline/summary block, the context strongly implies this is the identifier associated with the issue described.)
- CVSS Score: (Not explicitly provided in the summary, severity is related to Denial of Service via BGP crash.)
- CWE: (Not explicitly provided)
## Affected Systems
- Products: Cisco IOS XR Routers
- Versions: Releases 24.1 and earlier, 24.2, 24.3. Specific fixed versions mentioned are 24.2.21 (future release for 24.2 stream) and 24.3.1. Release 24.4 is noted as Not affected.
- Configurations: Devices running BGP and processing BGP AS\_CONFED\_SEQUENCE attributes.
## Vulnerability Description
The vulnerability exists in the processing of the Border Gateway Protocol (BGP) AS\_CONFED\_SEQUENCE attribute. An unauthenticated, remote attacker can craft malicious BGP traffic that triggers a crash of the BGP process on affected Cisco IOS XR routers, leading to a Denial of Service (DoS). The vulnerability details are linked to external technical analysis concerning "crafting endless AS paths in BGP."
## Exploitation
- Status: No evidence of exploitation in the wild found by Cisco PSIRT, but technical details are publicly available via an APNIC blog post authored in September.
- Complexity: Low (Implied, as an unauthenticated attacker needs only to send crafted traffic.)
- Attack Vector: Network
## Impact
- Confidentiality: No direct impact mentioned.
- Integrity: No direct impact mentioned (though BGP state corruption may occur).
- Availability: High (Can cause the BGP process to crash, leading to network service disruption.)
## Remediation
### Patches
Customers are strongly advised to migrate to fixed releases:
- For 24.1 and earlier: Migrate to a fixed release.
- For 24.2 stream: Migrate to 24.2.21 (future release).
- For 24.3 stream: Migrate to 24.3.1.
- 24.4 is not affected.
### Workarounds
Those unable to immediately apply security patches should restrict the BGP AS\_CONFED\_SEQUENCE attribute to **254 or fewer AS numbers** to limit the potential impact of attacks. Cisco notes this workaround was successful in a test environment, but applicability must be determined by the customer.
## Detection
- Indicators of Compromise: Abnormal termination or restarting of the BGP process on affected devices, potentially coinciding with the receipt of crafted BGP updates.
- Detection methods and tools: Monitoring BGP session states and looking for anomalies related to the AS\_CONFED\_SEQUENCE attribute size exceeding the workaround limit (254).
## References
- Vendor Advisories: Cisco combined advisory referencing this flaw (Specific link was truncated but mentioned in context). Links regarding general Cisco security recommendations (sec.cloudapps.cisco.com) are present in the source material.
- Relevant links: Technical write-up on APNIC blog detailing CVE-2025-20115 (defanged: hxxps://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/)