cvelistv5 - cve-2025-20159

CVE-2025-20159 (GCVE-0-2025-20159)

Vulnerability from cvelistv5 – Published: 2025-09-10 16:06 – Updated: 2025-09-10 18:20

Summary

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-284 - Improper Access Control

Assigner

cisco

References

URL

Tags

https://sec.cloudapps.cisco.com/security/center/c…

Impacted products

	Vendor	Product	Version
	Cisco	Cisco IOS XR Software	Affected: 6.6.1 Affected: 6.5.3 Affected: 7.0.1 Affected: 6.6.11 Affected: 6.5.1 Affected: 6.5.2 Affected: 6.6.2 Affected: 6.6.12 Affected: 6.6.25 Affected: 7.1.1 Affected: 7.0.90 Affected: 6.6.3 Affected: 7.0.2 Affected: 7.1.2 Affected: 7.2.1 Affected: 7.0.11 Affected: 7.0.12 Affected: 7.0.14 Affected: 6.6.4 Affected: 7.2.12 Affected: 7.3.1 Affected: 7.4.1 Affected: 7.2.2 Affected: 7.3.15 Affected: 7.3.16 Affected: 7.4.15 Affected: 7.3.2 Affected: 7.5.1 Affected: 7.4.16 Affected: 7.3.27 Affected: 7.6.1 Affected: 7.5.2 Affected: 7.8.1 Affected: 7.6.15 Affected: 7.5.12 Affected: 7.8.12 Affected: 7.3.4 Affected: 7.3.3 Affected: 7.4.2 Affected: 7.7.1 Affected: 7.6.2 Affected: 7.5.3 Affected: 7.7.2 Affected: 7.9.1 Affected: 7.10.1 Affected: 7.8.2 Affected: 7.5.4 Affected: 7.8.22 Affected: 7.7.21 Affected: 7.9.2 Affected: 7.3.5 Affected: 7.5.5 Affected: 7.11.1 Affected: 7.10.2 Affected: 24.1.1 Affected: 7.3.6 Affected: 7.5.52 Affected: 7.11.2 Affected: 24.2.1 Affected: 24.1.2 Affected: 24.2.11 Affected: 24.3.1 Affected: 24.4.1 Affected: 24.2.2 Affected: 7.11.21 Affected: 24.2.20 Affected: 24.3.2 Affected: 25.1.1 Affected: 24.4.2 Affected: 24.3.20 Affected: 25.1.2 Affected: 24.3.30 Affected: 24.4.30 Affected: 24.2.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20159",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T18:20:15.573247Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T18:20:28.931Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco IOS XR Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "6.6.1"
            },
            {
              "status": "affected",
              "version": "6.5.3"
            },
            {
              "status": "affected",
              "version": "7.0.1"
            },
            {
              "status": "affected",
              "version": "6.6.11"
            },
            {
              "status": "affected",
              "version": "6.5.1"
            },
            {
              "status": "affected",
              "version": "6.5.2"
            },
            {
              "status": "affected",
              "version": "6.6.2"
            },
            {
              "status": "affected",
              "version": "6.6.12"
            },
            {
              "status": "affected",
              "version": "6.6.25"
            },
            {
              "status": "affected",
              "version": "7.1.1"
            },
            {
              "status": "affected",
              "version": "7.0.90"
            },
            {
              "status": "affected",
              "version": "6.6.3"
            },
            {
              "status": "affected",
              "version": "7.0.2"
            },
            {
              "status": "affected",
              "version": "7.1.2"
            },
            {
              "status": "affected",
              "version": "7.2.1"
            },
            {
              "status": "affected",
              "version": "7.0.11"
            },
            {
              "status": "affected",
              "version": "7.0.12"
            },
            {
              "status": "affected",
              "version": "7.0.14"
            },
            {
              "status": "affected",
              "version": "6.6.4"
            },
            {
              "status": "affected",
              "version": "7.2.12"
            },
            {
              "status": "affected",
              "version": "7.3.1"
            },
            {
              "status": "affected",
              "version": "7.4.1"
            },
            {
              "status": "affected",
              "version": "7.2.2"
            },
            {
              "status": "affected",
              "version": "7.3.15"
            },
            {
              "status": "affected",
              "version": "7.3.16"
            },
            {
              "status": "affected",
              "version": "7.4.15"
            },
            {
              "status": "affected",
              "version": "7.3.2"
            },
            {
              "status": "affected",
              "version": "7.5.1"
            },
            {
              "status": "affected",
              "version": "7.4.16"
            },
            {
              "status": "affected",
              "version": "7.3.27"
            },
            {
              "status": "affected",
              "version": "7.6.1"
            },
            {
              "status": "affected",
              "version": "7.5.2"
            },
            {
              "status": "affected",
              "version": "7.8.1"
            },
            {
              "status": "affected",
              "version": "7.6.15"
            },
            {
              "status": "affected",
              "version": "7.5.12"
            },
            {
              "status": "affected",
              "version": "7.8.12"
            },
            {
              "status": "affected",
              "version": "7.3.4"
            },
            {
              "status": "affected",
              "version": "7.3.3"
            },
            {
              "status": "affected",
              "version": "7.4.2"
            },
            {
              "status": "affected",
              "version": "7.7.1"
            },
            {
              "status": "affected",
              "version": "7.6.2"
            },
            {
              "status": "affected",
              "version": "7.5.3"
            },
            {
              "status": "affected",
              "version": "7.7.2"
            },
            {
              "status": "affected",
              "version": "7.9.1"
            },
            {
              "status": "affected",
              "version": "7.10.1"
            },
            {
              "status": "affected",
              "version": "7.8.2"
            },
            {
              "status": "affected",
              "version": "7.5.4"
            },
            {
              "status": "affected",
              "version": "7.8.22"
            },
            {
              "status": "affected",
              "version": "7.7.21"
            },
            {
              "status": "affected",
              "version": "7.9.2"
            },
            {
              "status": "affected",
              "version": "7.3.5"
            },
            {
              "status": "affected",
              "version": "7.5.5"
            },
            {
              "status": "affected",
              "version": "7.11.1"
            },
            {
              "status": "affected",
              "version": "7.10.2"
            },
            {
              "status": "affected",
              "version": "24.1.1"
            },
            {
              "status": "affected",
              "version": "7.3.6"
            },
            {
              "status": "affected",
              "version": "7.5.52"
            },
            {
              "status": "affected",
              "version": "7.11.2"
            },
            {
              "status": "affected",
              "version": "24.2.1"
            },
            {
              "status": "affected",
              "version": "24.1.2"
            },
            {
              "status": "affected",
              "version": "24.2.11"
            },
            {
              "status": "affected",
              "version": "24.3.1"
            },
            {
              "status": "affected",
              "version": "24.4.1"
            },
            {
              "status": "affected",
              "version": "24.2.2"
            },
            {
              "status": "affected",
              "version": "7.11.21"
            },
            {
              "status": "affected",
              "version": "24.2.20"
            },
            {
              "status": "affected",
              "version": "24.3.2"
            },
            {
              "status": "affected",
              "version": "25.1.1"
            },
            {
              "status": "affected",
              "version": "24.4.2"
            },
            {
              "status": "affected",
              "version": "24.3.20"
            },
            {
              "status": "affected",
              "version": "25.1.2"
            },
            {
              "status": "affected",
              "version": "24.3.30"
            },
            {
              "status": "affected",
              "version": "24.4.30"
            },
            {
              "status": "affected",
              "version": "24.2.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\r\n\r\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-10T16:06:49.862Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-acl-packetio-Swjhhbtz",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz"
        }
      ],
      "source": {
        "advisory": "cisco-sa-acl-packetio-Swjhhbtz",
        "defects": [
          "CSCwb70861"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20159",
    "datePublished": "2025-09-10T16:06:49.862Z",
    "dateReserved": "2024-10-10T19:15:13.217Z",
    "dateUpdated": "2025-09-10T18:20:28.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-20159\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2025-09-10T16:15:35.880\",\"lastModified\":\"2025-09-11T17:14:10.147\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\\r\\n\\r\\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz\",\"source\":\"psirt@cisco.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-20159\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-10T18:20:15.573247Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-10T18:20:18.573Z\"}}], \"cna\": {\"title\": \"Cisco IOS XR Software Management Interface ACL Bypass Vulnerability\", \"source\": {\"defects\": [\"CSCwb70861\"], \"advisory\": \"cisco-sa-acl-packetio-Swjhhbtz\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"cvssV3_1\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco IOS XR Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.6.1\"}, {\"status\": \"affected\", \"version\": \"6.5.3\"}, {\"status\": \"affected\", \"version\": \"7.0.1\"}, {\"status\": \"affected\", \"version\": \"6.6.11\"}, {\"status\": \"affected\", \"version\": \"6.5.1\"}, {\"status\": \"affected\", \"version\": \"6.5.2\"}, {\"status\": \"affected\", \"version\": \"6.6.2\"}, {\"status\": \"affected\", \"version\": \"6.6.12\"}, {\"status\": \"affected\", \"version\": \"6.6.25\"}, {\"status\": \"affected\", \"version\": \"7.1.1\"}, {\"status\": \"affected\", \"version\": \"7.0.90\"}, {\"status\": \"affected\", \"version\": \"6.6.3\"}, {\"status\": \"affected\", \"version\": \"7.0.2\"}, {\"status\": \"affected\", \"version\": \"7.1.2\"}, {\"status\": \"affected\", \"version\": \"7.2.1\"}, {\"status\": \"affected\", \"version\": \"7.0.11\"}, {\"status\": \"affected\", \"version\": \"7.0.12\"}, {\"status\": \"affected\", \"version\": \"7.0.14\"}, {\"status\": \"affected\", \"version\": \"6.6.4\"}, {\"status\": \"affected\", \"version\": \"7.2.12\"}, {\"status\": \"affected\", \"version\": \"7.3.1\"}, {\"status\": \"affected\", \"version\": \"7.4.1\"}, {\"status\": \"affected\", \"version\": \"7.2.2\"}, {\"status\": \"affected\", \"version\": \"7.3.15\"}, {\"status\": \"affected\", \"version\": \"7.3.16\"}, {\"status\": \"affected\", \"version\": \"7.4.15\"}, {\"status\": \"affected\", \"version\": \"7.3.2\"}, {\"status\": \"affected\", \"version\": \"7.5.1\"}, {\"status\": \"affected\", \"version\": \"7.4.16\"}, {\"status\": \"affected\", \"version\": \"7.3.27\"}, {\"status\": \"affected\", \"version\": \"7.6.1\"}, {\"status\": \"affected\", \"version\": \"7.5.2\"}, {\"status\": \"affected\", \"version\": \"7.8.1\"}, {\"status\": \"affected\", \"version\": \"7.6.15\"}, {\"status\": \"affected\", \"version\": \"7.5.12\"}, {\"status\": \"affected\", \"version\": \"7.8.12\"}, {\"status\": \"affected\", \"version\": \"7.3.4\"}, {\"status\": \"affected\", \"version\": \"7.3.3\"}, {\"status\": \"affected\", \"version\": \"7.4.2\"}, {\"status\": \"affected\", \"version\": \"7.7.1\"}, {\"status\": \"affected\", \"version\": \"7.6.2\"}, {\"status\": \"affected\", \"version\": \"7.5.3\"}, {\"status\": \"affected\", \"version\": \"7.7.2\"}, {\"status\": \"affected\", \"version\": \"7.9.1\"}, {\"status\": \"affected\", \"version\": \"7.10.1\"}, {\"status\": \"affected\", \"version\": \"7.8.2\"}, {\"status\": \"affected\", \"version\": \"7.5.4\"}, {\"status\": \"affected\", \"version\": \"7.8.22\"}, {\"status\": \"affected\", \"version\": \"7.7.21\"}, {\"status\": \"affected\", \"version\": \"7.9.2\"}, {\"status\": \"affected\", \"version\": \"7.3.5\"}, {\"status\": \"affected\", \"version\": \"7.5.5\"}, {\"status\": \"affected\", \"version\": \"7.11.1\"}, {\"status\": \"affected\", \"version\": \"7.10.2\"}, {\"status\": \"affected\", \"version\": \"24.1.1\"}, {\"status\": \"affected\", \"version\": \"7.3.6\"}, {\"status\": \"affected\", \"version\": \"7.5.52\"}, {\"status\": \"affected\", \"version\": \"7.11.2\"}, {\"status\": \"affected\", \"version\": \"24.2.1\"}, {\"status\": \"affected\", \"version\": \"24.1.2\"}, {\"status\": \"affected\", \"version\": \"24.2.11\"}, {\"status\": \"affected\", \"version\": \"24.3.1\"}, {\"status\": \"affected\", \"version\": \"24.4.1\"}, {\"status\": \"affected\", \"version\": \"24.2.2\"}, {\"status\": \"affected\", \"version\": \"7.11.21\"}, {\"status\": \"affected\", \"version\": \"24.2.20\"}, {\"status\": \"affected\", \"version\": \"24.3.2\"}, {\"status\": \"affected\", \"version\": \"25.1.1\"}, {\"status\": \"affected\", \"version\": \"24.4.2\"}, {\"status\": \"affected\", \"version\": \"24.3.20\"}, {\"status\": \"affected\", \"version\": \"25.1.2\"}, {\"status\": \"affected\", \"version\": \"24.3.30\"}, {\"status\": \"affected\", \"version\": \"24.4.30\"}, {\"status\": \"affected\", \"version\": \"24.2.21\"}], \"defaultStatus\": \"unknown\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"references\": [{\"url\": \"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz\", \"name\": \"cisco-sa-acl-packetio-Swjhhbtz\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\\r\\n\\r\\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"cweId\": \"CWE-284\", \"description\": \"Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2025-09-10T16:06:49.862Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-20159\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-10T18:20:28.931Z\", \"dateReserved\": \"2024-10-10T19:15:13.217Z\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2025-09-10T16:06:49.862Z\", \"assignerShortName\": \"cisco\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-6RCJ-394R-R32C

Vulnerability from github – Published: 2025-09-10 18:30 – Updated: 2025-09-10 18:30

Details

This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-20159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-10T16:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\n\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.",
  "id": "GHSA-6rcj-394r-r32c",
  "modified": "2025-09-10T18:30:15Z",
  "published": "2025-09-10T18:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20159"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

NCSC-2025-0286

Vulnerability from csaf_ncscnl - Published: 2025-09-11 08:14 - Updated: 2025-09-11 08:14

Summary

Kwetsbaarheden verholpen in Cisco IOS XR Software

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Cisco heeft kwetsbaarheden verholpen in Cisco IOS XR Software.

Interpretaties

De kwetsbaarheden bevinden zich in de wijze waarop Cisco IOS XR Software omgaat met de management interface ACL-verwerking, het installatieproces en de ARP-implementatie. Een kwaadwillende kan deze kwetsbaarheden misbruiken om geconfigureerde toegangscontrolelijsten te omzeilen, niet-ondertekende software te laden of een broadcaststorm te genereren, wat kan leiden tot ongeautoriseerde toegang, code-executie en een Denial-of-Service (DoS) situatie. Dit heeft aanzienlijke gevolgen voor de integriteit en beschikbaarheid van netwerksystemen.

Oplossingen

Cisco heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-284

Improper Access Control

CWE-347

Improper Verification of Cryptographic Signature

CWE-400

Uncontrolled Resource Consumption

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Cisco heeft kwetsbaarheden verholpen in Cisco IOS XR Software.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden bevinden zich in de wijze waarop Cisco IOS XR Software omgaat met de management interface ACL-verwerking, het installatieproces en de ARP-implementatie. Een kwaadwillende kan deze kwetsbaarheden misbruiken om geconfigureerde toegangscontrolelijsten te omzeilen, niet-ondertekende software te laden of een broadcaststorm te genereren, wat kan leiden tot ongeautoriseerde toegang, code-executie en een Denial-of-Service (DoS) situatie. Dit heeft aanzienlijke gevolgen voor de integriteit en beschikbaarheid van netwerksystemen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Cisco heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Verification of Cryptographic Signature",
        "title": "CWE-347"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-arp-storm-EjUU55yM"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrsig-UY4zRUCG"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Cisco IOS XR Software",
    "tracking": {
      "current_release_date": "2025-09-11T08:14:36.960621Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0286",
      "initial_release_date": "2025-09-11T08:14:36.960621Z",
      "revision_history": [
        {
          "date": "2025-09-11T08:14:36.960621Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Cisco IOS XR Software"
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20159",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20159 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20159.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-20159"
    },
    {
      "cve": "CVE-2025-20248",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Verification of Cryptographic Signature",
          "title": "CWE-347"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20248 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20248.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.0,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-20248"
    },
    {
      "cve": "CVE-2025-20340",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-20340 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-20340.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-20340"
    }
  ]
}

CNVD-2025-21251

Vulnerability from cnvd - Published: 2025-09-12

Title

Cisco IOS XR访问控制错误漏洞（CNVD-2025-21251）

Description

Cisco IOS XR是美国思科（Cisco）公司的一套为其网络设备开发的操作系统。 Cisco IOS XR存在访问控制错误漏洞，该漏洞源于管理接口ACL存在不当的访问控制，攻击者可利用该漏洞导致绕过配置的ACL。

Severity

中

Patch Name

Cisco IOS XR访问控制错误漏洞（CNVD-2025-21251）的补丁

Patch Description

Cisco IOS XR是美国思科（Cisco）公司的一套为其网络设备开发的操作系统。 Cisco IOS XR存在访问控制错误漏洞，该漏洞源于管理接口ACL存在不当的访问控制，攻击者可利用该漏洞导致绕过配置的ACL。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-20159

Impacted products

Name
Cisco IOS XR

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-20159",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-20159"
    }
  },
  "description": "Cisco IOS XR\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e3a\u5176\u7f51\u7edc\u8bbe\u5907\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\n\nCisco IOS XR\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7ba1\u7406\u63a5\u53e3ACL\u5b58\u5728\u4e0d\u5f53\u7684\u8bbf\u95ee\u63a7\u5236\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7ed5\u8fc7\u914d\u7f6e\u7684ACL\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-21251",
  "openTime": "2025-09-12",
  "patchDescription": "Cisco IOS XR\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e3a\u5176\u7f51\u7edc\u8bbe\u5907\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nCisco IOS XR\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7ba1\u7406\u63a5\u53e3ACL\u5b58\u5728\u4e0d\u5f53\u7684\u8bbf\u95ee\u63a7\u5236\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7ed5\u8fc7\u914d\u7f6e\u7684ACL\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco IOS XR\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2025-21251\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco IOS XR"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-20159",
  "serverity": "\u4e2d",
  "submitTime": "2025-09-12",
  "title": "Cisco IOS XR\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2025-21251\uff09"
}

CISCO-SA-ACL-PACKETIO-SWJHHBTZ

Vulnerability from csaf_cisco - Published: 2025-09-10 16:00 - Updated: 2025-09-10 16:00

Summary

Cisco IOS XR Software Management Interface ACL Bypass Vulnerability

Notes

Summary

A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features. This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is part of the September 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication ["https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549"].

Vulnerable Products

At the time of publication, this vulnerability affected the following Cisco platforms and Cisco IOS XR Software releases if they had an IPv4 or IPv6 ACL attached to the management interface: Affected Cisco Platform Affected Cisco IOS XR Software Releases 8000 Series Routers Software image earlier than the first fixed release ASR 9000 Series Aggregation Services Routers Releases 24.1.1 and later but earlier than the first fixed release IOS XR White box (IOSXRWBD) Releases 7.9.1 and later but earlier than the first fixed release IOS XRd vRouters Software image earlier than the first fixed release IOS XRv 9000 Routers Releases 24.1.1 and later but earlier than the first fixed release Network Convergence Series (NCS) 540 Series Routers (NCS540-iosxr base image) Releases 7.9.1 and later but earlier than the first fixed release NCS 540 Series Routers (NCS540L-iosxr base image) All releases earlier than the first fixed release NCS 560 Series Routers Releases 24.2.1 and later but earlier than the first fixed release NCS 1010 Platforms Software image earlier than the first fixed release NCS 1014 Platforms Software image earlier than the first fixed release NCS 5500 Series Routers Releases 7.9.1 and later but earlier than the first fixed release NCS 5700 Series Routers NCS5700 base image earlier than the first fixed release For more information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software ["#fs"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine Whether a Configuration Is Vulnerable To determine whether a device from the preceding table has a vulnerable configuration, complete the following steps: Step 1: Determine whether there is an IP ACL To determine whether the device has an IP ACL on the management interface that is configured to block gRPC, SSH, or NETCONF over SSH, use the show running-config interface mgtEth <value> CLI command. The following example shows the output on a device that has an IPv4 ACL configured on the management interface: RP/0/RP0/CPU0:Router#show running-config interface mgmtEth 0/RP0/CPU0/0 Wed Sep 9 16:00:00.000 UTC interface MgmtEth0/RP0/CPU0/0 ipv4 address 10.10.10.10 255.255.255.0 ipv4 access-group MGMT_ACL ingress ! RP/0/RP0/CPU0:Router# Examine the contents of the MGMT_ACL. If it is configured to deny the ports that are configured for gRPC, SSH, or NETCONF over SSH, this is a match. Proceed to Step 2. Otherwise, the device is not affected. Stop here. Step 2: Determine the status of gRPC To determine whether gRPC is configured on a device, use the show running-config grpc CLI command. The following example shows the output on a device that has gRPC enabled and configured: RP/0/RP0/CPU0:Router# show running-config grpc Wed Sep 9 16:00:00.000 UTC grpc port 57400 ! RP/0/RP0/CPU0:Router# If gRPC is enabled, use the show running-config linux networking CLI command to determine whether Traffic Protection for Linux Networking is configured. The following example shows the output on a device that allows gRPC only from a single remote subnet on a single local interface: RP/0/RP0/CPU0:Router# show running-config linux networking Wed Sep 9 16:00:00.000 UTC linux networking vrf default address-family ipv4 protection protocol tcp local-port all default-action deny ! protocol tcp local-port 57400 default-action deny permit remote-address 192.0.2.0/24 interface HundredGigE0/0/0/25 ! ! ! ! RP/0/RP0/CPU0:Router# If gRPC is enabled and Traffic Protection is configured to protect the gRPC service, the device is configured correctly. If gRPC is enabled but Traffic Protection is not configured to protect the gRPC service, either configure Traffic Protection or migrate to a fixed release to leverage Management Interface filtering support of gRPC. Proceed to Step 3 only if evaluating the following Cisco products and releases: 8000 Series Routers that are running an IOS XR image earlier than the first fixed release NCS 540 Series Routers that are running an NCS540L-iosxr base image earlier than the first fixed release NCS 5700 Series Routers that are running an NCS5700 base image earlier than the first fixed release Otherwise, stop here. Step 3: Determine the status of SSH To determine whether SSH is configured on a device, use the show running-config ssh CLI command. The following example shows the output on a device that has the SSH service enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the SSH server: RP/0/RP0/CPU0:Router#show running-config ssh Wed Sep 9 16:00:00.000 UTC ssh server v2 ssh server vrf mgmt ipv4 access-list SSH_ACL_Ingress ipv6 access-list SSH_ACL_Ingress RP/0/RP0/CPU0:Router# If SSH is enabled and IP ACLs are applied to the SSH service, the device is configured correctly. If SSH is enabled but IP ACLs are not configured to protect the SSH service, either add the ssh server ipv4|ipv6 access-list <name> configuration or migrate to a fixed release to leverage Management Interface filtering support of SSH. Proceed to Step 4. Step 4: Determine the status of NETCONF over SSH To determine whether NETCONF over SSH is configured, use the show running-config ssh server netconf CLI command. The following example shows the output on a device that has NETCONF over SSH enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the NetConf SSH server: RP/0/RP0/CPU0:Router#show running-config ssh server netconf Wed Sep 9 16:00:00.000 UTC ssh server netconf vrf mgmt ipv4 access-list NetConf_ACL_Ingress ipv6 access-list NetConf_ACL_Ingress RP/0/RP0/CPU0:Router# If NETCONF over SSH is enabled and IP ACLs are applied to the NETCONF SSH service, the device is configured correctly. If NETCONF over SSH is enabled but IP ACLs are not configured to protect the NETCONF SSH service, either add the ssh server netconf ipv4|ipv6 access-list <name> configuration or migrate to a fixed release to leverage Management Interface filtering support of NETCONF SSH.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XE Software NX-OS Software

Details

Cisco IOS XR Software Packet I/O infrastructure is used on all releases that are running on the following Cisco platforms (Native Packet I/O platforms): 8000 Series Routers IOS XRd vRouters NCS 540 Series Routers (NCS540L base image) NCS 1010 Platforms1 NCS 1014 Platforms1 NCS 5700 Series Routers (NCS5700 base image) 1. Cisco NCS 1010 and NCS 1014 Platforms consider traffic arriving over the software GigabitEthernet0/0/0/[0-3] interfaces as management traffic interfaces. So if ACLs are applied, they are subject to the same conditions as the mgmtEth interface. The following platforms migrated to a Packet I/O infrastructure in the specified releases (Migrated Packet I/O platforms): ASR 9000 Series Aggregation Services Routers — 24.1.1 and later IOS XR White box (IOSXRWBD) — 7.9.1 and later IOS XRv 9000 Routers — 24.1.1 and later NCS 540 Series Routers — 7.9.1 and later NCS 560 Series Routers — 24.2.1 and later NCS 5500 Series Routers — 7.9.1 and later Within Cisco IOS XR Software Packet I/O infrastructure, an ACL that is applied to the management interface does not get enforced for any Linux applications. This includes gRPC, SSH (CiscoSSH), NETCONF, and customer-installed Linux applications. Native Packet I/O Platforms This section includes details for releases that do not support management interface ACLs. gRPC Filtering for the gRPC services should be done using Traffic Protection for Linux Networking. For more details, see the Best Practices with Traffic Protection ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#bestpractraffic"] section of the Cisco IOS XR Software Hardening Guide. Traffic Protection for Linux Networking protects against inbound traffic that does not match established connections, not against outbound traffic. Filtering gRPC through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.2 and later and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo52518 ["https://bst.cisco.com/bugsearch/bug/CSCwo52518"]. SSH and NETCONF over SSH These platforms use CiscoSSH, which is handled in Linux Networking. Traffic Protection for Linux Networking does not cover CiscoSSH. To filter out the ingress SSH and Netconf traffic, Cisco recommends configuring the ingress ACL under the SSH server configuration mode: For SSH: ssh server vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name For Netconf: ssh server netconf vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name Filtering SSH and Netconf over SSH through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.1 and later. This is documented in Cisco bug ID CSCwb70861 ["https://bst.cisco.com/bugsearch/bug/CSCwb70861"]. For Cisco IOS XR Software releases 25.1.1 and later, when configuring filtering on the management interface for SSH and NetConf traffic, administrators must configure ssh server packet-flow-netio ingress. Migrated Packet I/O Platforms gRPC After a platform has migrated to a release that supports Packet I/O, filtering for the gRPC services should be done using the instructions in the Traffic Protection ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux"]for Linux Networking ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux"] section of the Cisco IOS XR Software Hardening Guide. Filtering gRPC through an ingress ACL that is applied to the management interface on the platforms that are listed at the top of this section that migrated to Packet I/O infrastructure is supported from Cisco IOS XR Software releases 24.2.21 and later, releases 25.1.2 and later, and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo51041 ["https://bst.cisco.com/bugsearch/bug/CSCwo51041"]. SSH and NETCONF over SSH At the time of publication, the platforms that are listed at the top of this section use an SSH service that is not affected by the vulnerability that is described in this advisory. Filtering is supported either through the SSH server configuration mode or through an ingress management interface ACL.

Workarounds

There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details ["#details"] section of this advisory. However, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC). While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. In the following table, the left column lists Cisco software releases or trains. The middle and right columns indicate whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Cisco Platform First Fixed Release that Supports Management Interface ACLs – gRPC First Fixed Release that Supports Management Interface ACLs – SSH and NETCONF 8000 Series Routers1 25.1.2 25.2.1 25.1.1 ASR 9000 Series Aggregation Services Routers 24.2.21 25.1.2 25.2.1 Not affected IOS XR White box (IOSXRWBD) 24.2.21 25.1.2 25.2.1 Not affected IOS XRd vRouters 25.1.2 25.2.1 25.1.1 IOS XRv 9000 Routers 24.2.21 25.1.2 25.2.1 Not affected NCS 540 Series Routers (NCS540-iosxr base image) 24.2.21 25.1.2 25.2.1 Not affected NCS 540 Series Routers (NCS540L-iosxr base image) 25.1.2 25.2.1 25.1.1 NCS 560 Series Routers 24.2.21 25.1.2 25.2.1 Not affected NCS 1010 Platforms 25.1.2 25.2.1 25.1.1 NCS 1014 Platforms 25.1.2 25.2.1 25.1.1 NCS 5500 Series Routers 24.2.21 25.1.2 25.2.1 Not affected NCS 5700 Series Routers 25.1.2 25.2.1 25.1.1 1. In Cisco 8000 deployments that use dual route processors, the filtering on the standby route processor management interface is not correctly enforced. Customers who have dual route processors should migrate to Release 25.2.2, 25.4.1, or 26.1.1 when available to ensure filtering is correctly applied on both active and standby route processors. This is documented in Cisco bug ID CSCwq48170 ["https://bst.cisco.com/bugsearch/bug/CSCwq48170"]. No SMUs have been made available for this vulnerability because there are suitable alternative configurations that can be put in place to protect devices. Customers who want support for these protocols on a configured ACL on the management interface should upgrade to a fixed software release. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

This vulnerability was found during the resolution of a Cisco TAC support case.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "summary": "This vulnerability was found during the resolution of a Cisco TAC support case."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\r\n\r\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.\r\n\r\nFor more information about this vulnerability, see the Details [\"#details\"] section of this advisory.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\n\r\n\r\nThis advisory is part of the September 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication [\"https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549\"].",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "At the time of publication, this vulnerability affected the following Cisco platforms and Cisco IOS XR Software releases if they had an IPv4 or IPv6 ACL attached to the management interface:\r\n        Affected Cisco Platform  Affected Cisco IOS XR Software Releases          8000 Series Routers  Software image earlier than the first fixed release      ASR 9000 Series Aggregation Services Routers  Releases 24.1.1 and later but earlier than the first fixed release      IOS XR White box (IOSXRWBD)   Releases 7.9.1 and later but earlier than the first fixed release      IOS XRd vRouters  Software image earlier than the first fixed release      IOS XRv 9000 Routers  Releases 24.1.1 and later but earlier than the first fixed release      Network Convergence Series (NCS) 540 Series Routers\r\n(NCS540-iosxr base image)   Releases 7.9.1 and later but earlier than the first fixed release      NCS 540 Series Routers\r\n(NCS540L-iosxr base image)  All releases earlier than the first fixed release      NCS 560 Series Routers  Releases 24.2.1 and later but earlier than the first fixed release      NCS 1010 Platforms  Software image earlier than the first fixed release      NCS 1014 Platforms  Software image earlier than the first fixed release      NCS 5500 Series Routers  Releases 7.9.1 and later but earlier than the first fixed release      NCS 5700 Series Routers  NCS5700 base image earlier than the first fixed release\r\nFor more information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software [\"#fs\"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n  Determine Whether a Configuration Is Vulnerable\r\nTo determine whether a device from the preceding table has a vulnerable configuration, complete the following steps:\r\n\r\nStep 1: Determine whether there is an IP ACL\r\n\r\nTo determine whether the device has an IP ACL on the management interface that is configured to block gRPC, SSH, or NETCONF over SSH, use the show running-config interface mgtEth \u003cvalue\u003e CLI command. The following example shows the output on a device that has an IPv4 ACL configured on the management interface:\r\n\r\n\r\nRP/0/RP0/CPU0:Router#show running-config interface mgmtEth 0/RP0/CPU0/0\r\nWed Sep 9 16:00:00.000 UTC\r\ninterface MgmtEth0/RP0/CPU0/0\r\nipv4 address 10.10.10.10 255.255.255.0\r\nipv4 access-group MGMT_ACL ingress\r\n!\r\n  RP/0/RP0/CPU0:Router#\r\n\r\nExamine the contents of the MGMT_ACL. If it is configured to deny the ports that are configured for gRPC, SSH, or NETCONF over SSH, this is a match. Proceed to Step 2.\r\n\r\nOtherwise, the device is not affected. Stop here.\r\n\r\nStep 2: Determine the status of gRPC\r\n\r\nTo determine whether gRPC is configured on a device, use the show running-config grpc CLI command. The following example shows the output on a device that has gRPC enabled and configured:\r\n\r\n\r\nRP/0/RP0/CPU0:Router# show running-config grpc\r\nWed Sep 9 16:00:00.000 UTC\r\ngrpc\r\nport 57400\r\n!\r\n\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf gRPC is enabled, use the show running-config linux networking CLI command to determine whether Traffic Protection for Linux Networking is configured. The following example shows the output on a device that allows gRPC only from a single remote subnet on a single local interface:\r\n\r\n\r\nRP/0/RP0/CPU0:Router# show running-config linux networking\r\nWed Sep 9 16:00:00.000 UTC\r\nlinux networking\r\n vrf default\r\n  address-family ipv4\r\n   protection\r\n    protocol tcp local-port all default-action deny\r\n    !\r\n    protocol tcp local-port 57400 default-action deny\r\n     permit remote-address 192.0.2.0/24 interface HundredGigE0/0/0/25\r\n    !\r\n   !\r\n  !\r\n!\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf gRPC is enabled and Traffic Protection is configured to protect the gRPC service, the device is configured correctly.\r\n\r\nIf gRPC is enabled but Traffic Protection is not configured to protect the gRPC service, either configure Traffic Protection or migrate to a fixed release to leverage Management Interface filtering support of gRPC.\r\n\r\nProceed to Step 3 only if evaluating the following Cisco products and releases:\r\n\r\n8000 Series Routers that are running an IOS XR image earlier than the first fixed release\r\nNCS 540 Series Routers that are running an NCS540L-iosxr base image earlier than the first fixed release\r\nNCS 5700 Series Routers that are running an NCS5700 base image earlier than the first fixed release\r\n\r\nOtherwise, stop here.\r\n\r\nStep 3: Determine the status of SSH\r\n\r\nTo determine whether SSH is configured on a device, use the show running-config ssh CLI command. The following example shows the output on a device that has the SSH service enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the SSH server:\r\n\r\n\r\nRP/0/RP0/CPU0:Router#show running-config ssh\r\nWed Sep 9 16:00:00.000 UTC\r\nssh server v2\r\nssh server vrf mgmt ipv4 access-list SSH_ACL_Ingress ipv6 access-list SSH_ACL_Ingress\r\n\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf SSH is enabled and IP ACLs are applied to the SSH service, the device is configured correctly.\r\n\r\nIf SSH is enabled but IP ACLs are not configured to protect the SSH service, either add the ssh server ipv4|ipv6 access-list \u003cname\u003e configuration or migrate to a fixed release to leverage Management Interface filtering support of SSH.\r\n\r\nProceed to Step 4.\r\n\r\nStep 4: Determine the status of NETCONF over SSH\r\n\r\nTo determine whether NETCONF over SSH is configured, use the show running-config ssh server netconf CLI command. The following example shows the output on a device that has NETCONF over SSH enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the NetConf SSH server:\r\n\r\n\r\nRP/0/RP0/CPU0:Router#show running-config ssh server netconf\r\nWed Sep 9 16:00:00.000 UTC\r\nssh server netconf vrf mgmt ipv4 access-list NetConf_ACL_Ingress ipv6 access-list NetConf_ACL_Ingress\r\n\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf NETCONF over SSH is enabled and IP ACLs are applied to the NETCONF SSH service, the device is configured correctly.\r\n\r\nIf NETCONF over SSH is enabled but IP ACLs are not configured to protect the NETCONF SSH service, either add the ssh server netconf ipv4|ipv6 access-list \u003cname\u003e configuration or migrate to a fixed release to leverage Management Interface filtering support of NETCONF SSH.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nIOS Software\r\nIOS XE Software\r\nNX-OS Software",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "Cisco IOS XR Software Packet I/O infrastructure is used on all releases that are running on the following Cisco platforms (Native Packet I/O platforms):\r\n\r\n8000 Series Routers\r\nIOS XRd vRouters\r\nNCS 540 Series Routers (NCS540L base image)\r\nNCS 1010 Platforms1\r\nNCS 1014 Platforms1\r\nNCS 5700 Series Routers (NCS5700 base image)\r\n\r\n1. Cisco NCS 1010 and NCS 1014 Platforms consider traffic arriving over the software GigabitEthernet0/0/0/[0-3] interfaces as management traffic interfaces. So if ACLs are applied, they are subject to the same conditions as the mgmtEth interface.\r\n\r\nThe following platforms migrated to a Packet I/O infrastructure in the specified releases (Migrated Packet I/O platforms):\r\n\r\nASR 9000 Series Aggregation Services Routers \u2014 24.1.1 and later\r\nIOS XR White box (IOSXRWBD) \u2014 7.9.1 and later\r\nIOS XRv 9000 Routers \u2014 24.1.1 and later\r\nNCS 540 Series Routers \u2014 7.9.1 and later\r\nNCS 560 Series Routers \u2014 24.2.1 and later\r\nNCS 5500 Series Routers \u2014 7.9.1 and later\r\n\r\nWithin Cisco IOS XR Software Packet I/O infrastructure, an ACL that is applied to the management interface does not get enforced for any Linux applications. This includes gRPC, SSH (CiscoSSH), NETCONF, and customer-installed Linux applications.\r\n  Native Packet I/O Platforms\r\nThis section includes details for releases that do not support management interface ACLs.\r\n\r\ngRPC\r\n\r\nFiltering for the gRPC services should be done using Traffic Protection for Linux Networking. For more details, see the Best Practices with Traffic Protection [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#bestpractraffic\"] section of the Cisco IOS XR Software Hardening Guide.\r\n\r\nTraffic Protection for Linux Networking protects against inbound traffic that does not match established connections, not against outbound traffic.\r\n\r\nFiltering gRPC through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.2 and later and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo52518 [\"https://bst.cisco.com/bugsearch/bug/CSCwo52518\"].\r\n\r\nSSH and NETCONF over SSH\r\n\r\nThese platforms use CiscoSSH, which is handled in Linux Networking. Traffic Protection for Linux Networking does not cover CiscoSSH.\r\n\r\nTo filter out the ingress SSH and Netconf traffic, Cisco recommends configuring the ingress ACL under the SSH server configuration mode:\r\n\r\nFor SSH: ssh server vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name\r\nFor Netconf: ssh server netconf vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name\r\n\r\nFiltering SSH and Netconf over SSH through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.1 and later. This is documented in Cisco bug ID CSCwb70861 [\"https://bst.cisco.com/bugsearch/bug/CSCwb70861\"].\r\n\r\nFor Cisco IOS XR Software releases 25.1.1 and later, when configuring filtering on the management interface for SSH and NetConf traffic, administrators must configure ssh server packet-flow-netio ingress.\r\n  Migrated Packet I/O Platforms\r\ngRPC\r\n\r\nAfter a platform has migrated to a release that supports Packet I/O, filtering for the gRPC services should be done using the instructions in the Traffic Protection  [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux\"]for Linux Networking [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux\"] section of the Cisco IOS XR Software Hardening Guide.\r\n\r\nFiltering gRPC through an ingress ACL that is applied to the management interface on the platforms that are listed at the top of this section that migrated to Packet I/O infrastructure is supported from Cisco IOS XR Software releases 24.2.21 and later, releases 25.1.2 and later, and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo51041 [\"https://bst.cisco.com/bugsearch/bug/CSCwo51041\"].\r\n\r\nSSH and NETCONF over SSH\r\n\r\nAt the time of publication, the platforms that are listed at the top of this section use an SSH service that is not affected by the vulnerability that is described in this advisory.\r\n\r\nFiltering is supported either through the SSH server configuration mode or through an ingress management interface ACL.",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details [\"#details\"] section of this advisory.\r\n\r\nHowever, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC).\r\n\r\nWhile this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n      Fixed Releases\r\nAt the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n\r\nIn the following table, the left column lists Cisco software releases or trains. The middle and right columns indicate whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability.\r\n          Cisco Platform  First Fixed Release that Supports Management Interface ACLs \u2013 gRPC  First Fixed Release that Supports Management Interface ACLs \u2013 SSH and NETCONF          8000 Series Routers1  25.1.2\r\n25.2.1  25.1.1      ASR 9000 Series Aggregation Services Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      IOS XR White box (IOSXRWBD)  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      IOS XRd vRouters  25.1.2\r\n25.2.1  25.1.1      IOS XRv 9000 Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 540 Series Routers\r\n(NCS540-iosxr base image)  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 540 Series Routers\r\n(NCS540L-iosxr base image)  25.1.2\r\n25.2.1  25.1.1      NCS 560 Series Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 1010 Platforms  25.1.2\r\n25.2.1  25.1.1      NCS 1014 Platforms  25.1.2\r\n25.2.1  25.1.1      NCS 5500 Series Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 5700 Series Routers  25.1.2\r\n25.2.1  25.1.1\r\n1. In Cisco 8000 deployments that use dual route processors, the filtering on the standby route processor management interface is not correctly enforced. Customers who have dual route processors should migrate to Release 25.2.2, 25.4.1, or 26.1.1 when available to ensure filtering is correctly applied on both active and standby route processors. This is documented in Cisco bug ID CSCwq48170 [\"https://bst.cisco.com/bugsearch/bug/CSCwq48170\"].\r\nNo SMUs have been made available for this vulnerability because there are suitable alternative configurations that can be put in place to protect devices. Customers who want support for these protocols on a configured ACL on the management interface should upgrade to a fixed software release.\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "This vulnerability was found during the resolution of a Cisco TAC support case.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@cisco.com",
      "issuing_authority": "Cisco PSIRT",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz"
      },
      {
        "category": "external",
        "summary": "Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication",
        "url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Best Practices with Traffic Protection",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#bestpractraffic"
      },
      {
        "category": "external",
        "summary": "CSCwo52518",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwo52518"
      },
      {
        "category": "external",
        "summary": "CSCwb70861",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwb70861"
      },
      {
        "category": "external",
        "summary": "Traffic Protection",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux"
      },
      {
        "category": "external",
        "summary": "CSCwo51041",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwo51041"
      },
      {
        "category": "external",
        "summary": "considering software upgrades",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
      },
      {
        "category": "external",
        "summary": "Cisco Security Advisories page",
        "url": "https://www.cisco.com/go/psirt"
      },
      {
        "category": "external",
        "summary": "CSCwq48170",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwq48170"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2025-09-10T16:00:00+00:00",
      "generator": {
        "date": "2025-09-10T15:54:48+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-acl-packetio-Swjhhbtz",
      "initial_release_date": "2025-09-10T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2025-09-10T15:54:38+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco IOS XR Software",
            "product": {
              "name": "Cisco IOS XR Software ",
              "product_id": "CSAFPID-5834"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20159",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwo51041"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwb70861"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwo52518"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwq48170"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-5834"
        ]
      },
      "release_date": "2025-09-10T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-5834"
          ],
          "url": "https://software.cisco.com"
        },
        {
          "category": "workaround",
          "details": "There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details [\"#details\"] section of this advisory.\r\n\r\nHowever, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC).\r\n\r\nWhile this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
          "product_ids": [
            "CSAFPID-5834"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-5834"
          ]
        }
      ],
      "title": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability"
    }
  ]
}

FKIE_CVE-2025-20159

Vulnerability from fkie_nvd - Published: 2025-09-10 16:15 - Updated: 2025-09-11 17:14

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	psirt@cisco.com	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\r\n\r\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device."
    }
  ],
  "id": "CVE-2025-20159",
  "lastModified": "2025-09-11T17:14:10.147",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "psirt@cisco.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-09-10T16:15:35.880",
  "references": [
    {
      "source": "psirt@cisco.com",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-20159 (GCVE-0-2025-20159)

GHSA-6RCJ-394R-R32C

NCSC-2025-0286

CNVD-2025-21251

CISCO-SA-ACL-PACKETIO-SWJHHBTZ

FKIE_CVE-2025-20159

Tags

Sightings

Nomenclature