Cisco addressed multiple high-severity IOS XR vulnerabilities that can allow ISO image verification bypass and trigger DoS conditions.
Cisco addressed multiple vulnerabilities in IOS XR software as part of its semiannual Software Security Advisory Bundled Publication published on September 10, 2025.
Below are the vulnerabilities addressed by the network giant:
The following table identifies Cisco Security content that is associated with this bundled publication:
| Cisco Security Advisory | CVE ID | Security Impact Rating | CVSS Base Score |
|---|---|---|---|
| Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability | CVE-2025-20340 | High | 7.4 |
| Cisco IOS XR Software Image Verification Bypass Vulnerability | CVE-2025-20248 | High | 6 |
| Cisco IOS XR Software Management Interface ACL Bypass Vulnerability | CVE-2025-20159 | Medium | 5.3 |
The most severe of these vulnerabilities is a high-severity issue, tracked as CVE-2025-20340, that resides in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software. An unauthenticated, adjacent attacker can exploit the flaw to trigger a broadcast storm, triggering a denial of service (DoS) condition on an affected device.
“This vulnerability is due to how Cisco IOS XR Software processes a high, sustained rate of ARP traffic hitting the management interface. Under certain conditions, an attacker could exploit this vulnerability by sending an excessive amount of traffic to the management interface of an affected device, overwhelming its ARP processing capabilities.” reads the advisory. “A successful exploit could result in degraded device performance, loss of management connectivity, and complete unresponsiveness of the system, leading to a DoS condition.”
Tracked as CVE-2025-20248 (CVSS score of 6), the first of the bugs is a high-severity issue in the IOS XR installation process that could allow attackers to bypass image signature verification.
Successful exploitation of the flaw, Cisco explains, could lead to unsigned files being added to an ISO image, which could then be installed and activated on a device.
Because of the potential bypass of the image verification process, Cisco has raised the security impact rating of the advisory from medium to high.
Cisco fixed another high-severity issue, tracked as CVE-2025-20248, in the IOS XR installation process. Attackers with root-system privileges on the affected device can bypass image signature checks, insert unsigned files into an ISO image, and install them on devices.
“To exploit this vulnerability, the attacker must have root-system privileges on the affected device.” continues the advisory. “This vulnerability is due to incomplete validation of files during the installation of an .iso file. An attacker could exploit this vulnerability by modifying contents of the .iso image and then installing and activating it on the device. A successful exploit could allow the attacker to load an unsigned file as part of the image activation process.”
The networking giant also fixed a medium-severity IOS XR flaw, tracked CVE-2025-20159 (CVSS 5.3), that lets remote attackers bypass ACLs for SSH, NetConf, and gRPC due to missing ACL support in the management interface.
Cisco says it is not aware of any attacks in the wild exploiting one of these vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, IOS XR)