862
Cisco recently addressed multiple vulnerabilities in IOS XR, one of which could allow image signature verification bypass. As the updates have been rolled out, users must patch their devices with the latest updates to avoid potential attacks.
Numerous Cisco IOS XR Vulnerabilities Addressed
With recent updates, the networking giant Cisco patched three different vulnerabilities affecting the IOS XR network operating system. Two of these are high-severity vulnerabilities, whereas the third is a medium-severity issue. Below is a quick description of these three vulnerabilities.
CVE-2025-20248 (high severity; CVSS 6.0): This vulnerability impacted the installation process of IOS XR, allowing an authenticated adversary to bypass image signature verification. It existed due to incomplete file validation during .iso installation, allowing the attacker to load unsigned software on the target device. However, exploiting the flaw required the attacker to have root access on the target system. To mitigate the flaw, Cisco introduced additional file checks in an .iso image to prevent an unsigned file installation. The firm has credited an external researcher (without naming them) for reporting this issue.
CVE-2025-20340 (high severity; CVSS 7.4): This vulnerability, affecting the Address Resolution Protocol (ARP) implementation of IOS XR, could trigger denial of service on a target device. It existed due to the way Cisco IOS XR software processed high traffic of ARP traffic hitting the management interface. An attacker could exploit the flaw and trigger device crashes by sending an excessive amount of traffic. Cisco confirmed that no workarounds exist to address the flaw; hence, users must upgrade to a fixed software release to patch the vulnerability.
CVE-2025-20159 (medium severity; CVSS 5.3): This flaw affected the management interface access control list (ACL) processing of IOS XR. Describing this flaw, Cisco stated,
This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC.
An authenticated remote adversary could exploit the flaw by sending traffic to a target vulnerable device. Consequently, the attacker could bypass configured ACLs for the SSH, NetConf, and gRPC features. While Cisco patched this vulnerability with the latest software releases, they have also shared a detailed workaround in the advisory to mitigate the flaw. Hence, for devices where an immediate update is not possible, users may consider applying the workaround to remain safe.
No Active Exploitation Detected For Any Of These Vulnerabilities
Cisco has shared the list of affected routers for all vulnerabilities in the respective advisories. Thankfully, the tech giant confirmed that it had detected no active exploitation attempts for any of these vulnerabilities. Still, Cisco ISO XR users should review the advisories to check if their devices are vulnerable to any of these issues and to deploy the necessary patches.
Let us know your thoughts in the comments.
