Security updates: Attackers can paralyze Cisco routers

Attackers can exploit several security vulnerabilities in Cisco's IOS XR system. This system serves as the basis for routers in the ASR-9000 series, among others. So far there have been no reports of attacks.

The developers assure us that they have closed the gaps in IOS XR versions 24.2.21, 24.4.2, 25.1.1, 25.1.2 and 25.2.1. Cisco states that there are no security updates for the following releases: 7.10, 7.11, 24.1, 24.3 and 24.4.

Software vulnerabilities

The most dangerous is a DoS vulnerability (CVE-2025-20340 "high"), which is found in the implementation of the Address Resolution Protocol (ARP). At this point, attackers without authentication can flood the management interface with requests so that instances are overloaded and can no longer be used.

If attackers successfully exploit another vulnerability (CVE-2025-20248 "medium"), they can manipulate .iso images, which are then installed. To achieve this, however, they must overcome a major hurdle and already be logged in as root users on vulnerable systems.

The third vulnerability (CVE-2025-20159 "medium") allows attackers to bypass Access Control Lists (ACL).

List sorted by threat level in descending order:

• IOS XR ARP Broadcast Storm
• IOS XR Software
• IOS XR Software Management Interface

(des)