Cisco on Wednesday launched patches for 3 vulnerabilities in IOS XR software program, as a part of its September 2025 safety advisory bundled publication.
Tracked as CVE-2025-20248 (CVSS rating of 6), the primary of the bugs is a high-severity situation within the IOS XR set up course of that might enable attackers to bypass picture signature verification.
Profitable exploitation of the flaw, Cisco explains, may result in unsigned information being added to an ISO picture, which may then be put in and activated on a tool.
Due to the potential bypass of the picture verification course of, Cisco has raised the safety affect score of the advisory from medium to excessive.
The second IOS XR situation resolved this week is CVE-2025-20340 (CVSS rating of seven.4), a bug within the software program’s Handle Decision Protocol (ARP) implementation that could possibly be exploited by adjoining, unauthenticated attackers to trigger a denial-of-service (DoS) situation.
“This vulnerability is because of how Cisco IOS XR Software program processes a excessive, sustained price of ARP site visitors hitting the administration interface. Below sure situations, an attacker may exploit this vulnerability by sending an extreme quantity of site visitors to the administration interface of an affected gadget, overwhelming its ARP processing capabilities,” Cisco explains.
The third safety defect is a medium-severity situation in IOS XR’s ACL processing characteristic that might enable unauthenticated, distant attackers to ship site visitors to a weak gadget and bypass configured ACLs for the SSH, NetConf, and gRPC options.
Tracked as CVE-2025-20159 (CVSS rating of 5.3), the flaw exists as a result of IOS XR packet I/O infrastructure platforms for SSH, NetConf, and gRPC haven’t supported administration interface ACLs.Commercial. Scroll to proceed studying.
Cisco says it isn’t conscious of any of those vulnerabilities being exploited within the wild. Customers are suggested to use the out there patches as quickly as potential, as hackers are identified to have exploited Cisco bugs.
Associated: Fortinet, Ivanti, Nvidia Launch Safety Updates
Associated: Apple Unveils iPhone Reminiscence Protections to Fight Refined Assaults
Associated: ICS Patch Tuesday: Rockwell Automation Leads With 8 Safety Advisories
Associated: SAP Patches Crucial NetWeaver Vulnerabilities
