cisco-sa-acl-packetio-swjhhbtz
Vulnerability from csaf_cisco
Published
2025-09-10 16:00
Modified
2025-09-10 16:00
Summary
Cisco IOS XR Software Management Interface ACL Bypass Vulnerability

Notes

Summary
A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features. This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is part of the September 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication ["https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549"].
Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco platforms and Cisco IOS XR Software releases if they had an IPv4 or IPv6 ACL attached to the management interface: Affected Cisco Platform Affected Cisco IOS XR Software Releases 8000 Series Routers Software image earlier than the first fixed release ASR 9000 Series Aggregation Services Routers Releases 24.1.1 and later but earlier than the first fixed release IOS XR White box (IOSXRWBD) Releases 7.9.1 and later but earlier than the first fixed release IOS XRd vRouters Software image earlier than the first fixed release IOS XRv 9000 Routers Releases 24.1.1 and later but earlier than the first fixed release Network Convergence Series (NCS) 540 Series Routers (NCS540-iosxr base image) Releases 7.9.1 and later but earlier than the first fixed release NCS 540 Series Routers (NCS540L-iosxr base image) All releases earlier than the first fixed release NCS 560 Series Routers Releases 24.2.1 and later but earlier than the first fixed release NCS 1010 Platforms Software image earlier than the first fixed release NCS 1014 Platforms Software image earlier than the first fixed release NCS 5500 Series Routers Releases 7.9.1 and later but earlier than the first fixed release NCS 5700 Series Routers NCS5700 base image earlier than the first fixed release For more information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software ["#fs"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine Whether a Configuration Is Vulnerable To determine whether a device from the preceding table has a vulnerable configuration, complete the following steps: Step 1: Determine whether there is an IP ACL To determine whether the device has an IP ACL on the management interface that is configured to block gRPC, SSH, or NETCONF over SSH, use the show running-config interface mgtEth <value> CLI command. The following example shows the output on a device that has an IPv4 ACL configured on the management interface: RP/0/RP0/CPU0:Router#show running-config interface mgmtEth 0/RP0/CPU0/0 Wed Sep 9 16:00:00.000 UTC interface MgmtEth0/RP0/CPU0/0 ipv4 address 10.10.10.10 255.255.255.0 ipv4 access-group MGMT_ACL ingress ! RP/0/RP0/CPU0:Router# Examine the contents of the MGMT_ACL. If it is configured to deny the ports that are configured for gRPC, SSH, or NETCONF over SSH, this is a match. Proceed to Step 2. Otherwise, the device is not affected. Stop here. Step 2: Determine the status of gRPC To determine whether gRPC is configured on a device, use the show running-config grpc CLI command. The following example shows the output on a device that has gRPC enabled and configured: RP/0/RP0/CPU0:Router# show running-config grpc Wed Sep 9 16:00:00.000 UTC grpc port 57400 ! RP/0/RP0/CPU0:Router# If gRPC is enabled, use the show running-config linux networking CLI command to determine whether Traffic Protection for Linux Networking is configured. The following example shows the output on a device that allows gRPC only from a single remote subnet on a single local interface: RP/0/RP0/CPU0:Router# show running-config linux networking Wed Sep 9 16:00:00.000 UTC linux networking vrf default address-family ipv4 protection protocol tcp local-port all default-action deny ! protocol tcp local-port 57400 default-action deny permit remote-address 192.0.2.0/24 interface HundredGigE0/0/0/25 ! ! ! ! RP/0/RP0/CPU0:Router# If gRPC is enabled and Traffic Protection is configured to protect the gRPC service, the device is configured correctly. If gRPC is enabled but Traffic Protection is not configured to protect the gRPC service, either configure Traffic Protection or migrate to a fixed release to leverage Management Interface filtering support of gRPC. Proceed to Step 3 only if evaluating the following Cisco products and releases: 8000 Series Routers that are running an IOS XR image earlier than the first fixed release NCS 540 Series Routers that are running an NCS540L-iosxr base image earlier than the first fixed release NCS 5700 Series Routers that are running an NCS5700 base image earlier than the first fixed release Otherwise, stop here. Step 3: Determine the status of SSH To determine whether SSH is configured on a device, use the show running-config ssh CLI command. The following example shows the output on a device that has the SSH service enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the SSH server: RP/0/RP0/CPU0:Router#show running-config ssh Wed Sep 9 16:00:00.000 UTC ssh server v2 ssh server vrf mgmt ipv4 access-list SSH_ACL_Ingress ipv6 access-list SSH_ACL_Ingress RP/0/RP0/CPU0:Router# If SSH is enabled and IP ACLs are applied to the SSH service, the device is configured correctly. If SSH is enabled but IP ACLs are not configured to protect the SSH service, either add the ssh server ipv4|ipv6 access-list <name> configuration or migrate to a fixed release to leverage Management Interface filtering support of SSH. Proceed to Step 4. Step 4: Determine the status of NETCONF over SSH To determine whether NETCONF over SSH is configured, use the show running-config ssh server netconf CLI command. The following example shows the output on a device that has NETCONF over SSH enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the NetConf SSH server: RP/0/RP0/CPU0:Router#show running-config ssh server netconf Wed Sep 9 16:00:00.000 UTC ssh server netconf vrf mgmt ipv4 access-list NetConf_ACL_Ingress ipv6 access-list NetConf_ACL_Ingress RP/0/RP0/CPU0:Router# If NETCONF over SSH is enabled and IP ACLs are applied to the NETCONF SSH service, the device is configured correctly. If NETCONF over SSH is enabled but IP ACLs are not configured to protect the NETCONF SSH service, either add the ssh server netconf ipv4|ipv6 access-list <name> configuration or migrate to a fixed release to leverage Management Interface filtering support of NETCONF SSH.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XE Software NX-OS Software
Details
Cisco IOS XR Software Packet I/O infrastructure is used on all releases that are running on the following Cisco platforms (Native Packet I/O platforms): 8000 Series Routers IOS XRd vRouters NCS 540 Series Routers (NCS540L base image) NCS 1010 Platforms1 NCS 1014 Platforms1 NCS 5700 Series Routers (NCS5700 base image) 1. Cisco NCS 1010 and NCS 1014 Platforms consider traffic arriving over the software GigabitEthernet0/0/0/[0-3] interfaces as management traffic interfaces. So if ACLs are applied, they are subject to the same conditions as the mgmtEth interface. The following platforms migrated to a Packet I/O infrastructure in the specified releases (Migrated Packet I/O platforms): ASR 9000 Series Aggregation Services Routers — 24.1.1 and later IOS XR White box (IOSXRWBD) — 7.9.1 and later IOS XRv 9000 Routers — 24.1.1 and later NCS 540 Series Routers — 7.9.1 and later NCS 560 Series Routers — 24.2.1 and later NCS 5500 Series Routers — 7.9.1 and later Within Cisco IOS XR Software Packet I/O infrastructure, an ACL that is applied to the management interface does not get enforced for any Linux applications. This includes gRPC, SSH (CiscoSSH), NETCONF, and customer-installed Linux applications. Native Packet I/O Platforms This section includes details for releases that do not support management interface ACLs. gRPC Filtering for the gRPC services should be done using Traffic Protection for Linux Networking. For more details, see the Best Practices with Traffic Protection ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#bestpractraffic"] section of the Cisco IOS XR Software Hardening Guide. Traffic Protection for Linux Networking protects against inbound traffic that does not match established connections, not against outbound traffic. Filtering gRPC through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.2 and later and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo52518 ["https://bst.cisco.com/bugsearch/bug/CSCwo52518"]. SSH and NETCONF over SSH These platforms use CiscoSSH, which is handled in Linux Networking. Traffic Protection for Linux Networking does not cover CiscoSSH. To filter out the ingress SSH and Netconf traffic, Cisco recommends configuring the ingress ACL under the SSH server configuration mode: For SSH: ssh server vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name For Netconf: ssh server netconf vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name Filtering SSH and Netconf over SSH through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.1 and later. This is documented in Cisco bug ID CSCwb70861 ["https://bst.cisco.com/bugsearch/bug/CSCwb70861"]. For Cisco IOS XR Software releases 25.1.1 and later, when configuring filtering on the management interface for SSH and NetConf traffic, administrators must configure ssh server packet-flow-netio ingress. Migrated Packet I/O Platforms gRPC After a platform has migrated to a release that supports Packet I/O, filtering for the gRPC services should be done using the instructions in the Traffic Protection ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux"]for Linux Networking ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux"] section of the Cisco IOS XR Software Hardening Guide. Filtering gRPC through an ingress ACL that is applied to the management interface on the platforms that are listed at the top of this section that migrated to Packet I/O infrastructure is supported from Cisco IOS XR Software releases 24.2.21 and later, releases 25.1.2 and later, and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo51041 ["https://bst.cisco.com/bugsearch/bug/CSCwo51041"]. SSH and NETCONF over SSH At the time of publication, the platforms that are listed at the top of this section use an SSH service that is not affected by the vulnerability that is described in this advisory. Filtering is supported either through the SSH server configuration mode or through an ingress management interface ACL.
Workarounds
There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details ["#details"] section of this advisory. However, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC). While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Fixed Software
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. In the following table, the left column lists Cisco software releases or trains. The middle and right columns indicate whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Cisco Platform First Fixed Release that Supports Management Interface ACLs – gRPC First Fixed Release that Supports Management Interface ACLs – SSH and NETCONF 8000 Series Routers1 25.1.2 25.2.1 25.1.1 ASR 9000 Series Aggregation Services Routers 24.2.21 25.1.2 25.2.1 Not affected IOS XR White box (IOSXRWBD) 24.2.21 25.1.2 25.2.1 Not affected IOS XRd vRouters 25.1.2 25.2.1 25.1.1 IOS XRv 9000 Routers 24.2.21 25.1.2 25.2.1 Not affected NCS 540 Series Routers (NCS540-iosxr base image) 24.2.21 25.1.2 25.2.1 Not affected NCS 540 Series Routers (NCS540L-iosxr base image) 25.1.2 25.2.1 25.1.1 NCS 560 Series Routers 24.2.21 25.1.2 25.2.1 Not affected NCS 1010 Platforms 25.1.2 25.2.1 25.1.1 NCS 1014 Platforms 25.1.2 25.2.1 25.1.1 NCS 5500 Series Routers 24.2.21 25.1.2 25.2.1 Not affected NCS 5700 Series Routers 25.1.2 25.2.1 25.1.1 1. In Cisco 8000 deployments that use dual route processors, the filtering on the standby route processor management interface is not correctly enforced. Customers who have dual route processors should migrate to Release 25.2.2, 25.4.1, or 26.1.1 when available to ensure filtering is correctly applied on both active and standby route processors. This is documented in Cisco bug ID CSCwq48170 ["https://bst.cisco.com/bugsearch/bug/CSCwq48170"]. No SMUs have been made available for this vulnerability because there are suitable alternative configurations that can be put in place to protect devices. Customers who want support for these protocols on a configured ACL on the management interface should upgrade to a fixed software release. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
This vulnerability was found during the resolution of a Cisco TAC support case.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.


To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "summary": "This vulnerability was found during the resolution of a Cisco TAC support case."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.\r\n\r\nThis vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.\r\n\r\nFor more information about this vulnerability, see the Details [\"#details\"] section of this advisory.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\n\r\n\r\nThis advisory is part of the September 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication [\"https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549\"].",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "At the time of publication, this vulnerability affected the following Cisco platforms and Cisco IOS XR Software releases if they had an IPv4 or IPv6 ACL attached to the management interface:\r\n        Affected Cisco Platform  Affected Cisco IOS XR Software Releases          8000 Series Routers  Software image earlier than the first fixed release      ASR 9000 Series Aggregation Services Routers  Releases 24.1.1 and later but earlier than the first fixed release      IOS XR White box (IOSXRWBD)   Releases 7.9.1 and later but earlier than the first fixed release      IOS XRd vRouters  Software image earlier than the first fixed release      IOS XRv 9000 Routers  Releases 24.1.1 and later but earlier than the first fixed release      Network Convergence Series (NCS) 540 Series Routers\r\n(NCS540-iosxr base image)   Releases 7.9.1 and later but earlier than the first fixed release      NCS 540 Series Routers\r\n(NCS540L-iosxr base image)  All releases earlier than the first fixed release      NCS 560 Series Routers  Releases 24.2.1 and later but earlier than the first fixed release      NCS 1010 Platforms  Software image earlier than the first fixed release      NCS 1014 Platforms  Software image earlier than the first fixed release      NCS 5500 Series Routers  Releases 7.9.1 and later but earlier than the first fixed release      NCS 5700 Series Routers  NCS5700 base image earlier than the first fixed release\r\nFor more information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software [\"#fs\"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n  Determine Whether a Configuration Is Vulnerable\r\nTo determine whether a device from the preceding table has a vulnerable configuration, complete the following steps:\r\n\r\nStep 1: Determine whether there is an IP ACL\r\n\r\nTo determine whether the device has an IP ACL on the management interface that is configured to block gRPC, SSH, or NETCONF over SSH, use the show running-config interface mgtEth \u003cvalue\u003e CLI command. The following example shows the output on a device that has an IPv4 ACL configured on the management interface:\r\n\r\n\r\nRP/0/RP0/CPU0:Router#show running-config interface mgmtEth 0/RP0/CPU0/0\r\nWed Sep 9 16:00:00.000 UTC\r\ninterface MgmtEth0/RP0/CPU0/0\r\nipv4 address 10.10.10.10 255.255.255.0\r\nipv4 access-group MGMT_ACL ingress\r\n!\r\n  RP/0/RP0/CPU0:Router#\r\n\r\nExamine the contents of the MGMT_ACL. If it is configured to deny the ports that are configured for gRPC, SSH, or NETCONF over SSH, this is a match. Proceed to Step 2.\r\n\r\nOtherwise, the device is not affected. Stop here.\r\n\r\nStep 2: Determine the status of gRPC\r\n\r\nTo determine whether gRPC is configured on a device, use the show running-config grpc CLI command. The following example shows the output on a device that has gRPC enabled and configured:\r\n\r\n\r\nRP/0/RP0/CPU0:Router# show running-config grpc\r\nWed Sep 9 16:00:00.000 UTC\r\ngrpc\r\nport 57400\r\n!\r\n\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf gRPC is enabled, use the show running-config linux networking CLI command to determine whether Traffic Protection for Linux Networking is configured. The following example shows the output on a device that allows gRPC only from a single remote subnet on a single local interface:\r\n\r\n\r\nRP/0/RP0/CPU0:Router# show running-config linux networking\r\nWed Sep 9 16:00:00.000 UTC\r\nlinux networking\r\n vrf default\r\n  address-family ipv4\r\n   protection\r\n    protocol tcp local-port all default-action deny\r\n    !\r\n    protocol tcp local-port 57400 default-action deny\r\n     permit remote-address 192.0.2.0/24 interface HundredGigE0/0/0/25\r\n    !\r\n   !\r\n  !\r\n!\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf gRPC is enabled and Traffic Protection is configured to protect the gRPC service, the device is configured correctly.\r\n\r\nIf gRPC is enabled but Traffic Protection is not configured to protect the gRPC service, either configure Traffic Protection or migrate to a fixed release to leverage Management Interface filtering support of gRPC.\r\n\r\nProceed to Step 3 only if evaluating the following Cisco products and releases:\r\n\r\n8000 Series Routers that are running an IOS XR image earlier than the first fixed release\r\nNCS 540 Series Routers that are running an NCS540L-iosxr base image earlier than the first fixed release\r\nNCS 5700 Series Routers that are running an NCS5700 base image earlier than the first fixed release\r\n\r\nOtherwise, stop here.\r\n\r\nStep 3: Determine the status of SSH\r\n\r\nTo determine whether SSH is configured on a device, use the show running-config ssh CLI command. The following example shows the output on a device that has the SSH service enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the SSH server:\r\n\r\n\r\nRP/0/RP0/CPU0:Router#show running-config ssh\r\nWed Sep 9 16:00:00.000 UTC\r\nssh server v2\r\nssh server vrf mgmt ipv4 access-list SSH_ACL_Ingress ipv6 access-list SSH_ACL_Ingress\r\n\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf SSH is enabled and IP ACLs are applied to the SSH service, the device is configured correctly.\r\n\r\nIf SSH is enabled but IP ACLs are not configured to protect the SSH service, either add the ssh server ipv4|ipv6 access-list \u003cname\u003e configuration or migrate to a fixed release to leverage Management Interface filtering support of SSH.\r\n\r\nProceed to Step 4.\r\n\r\nStep 4: Determine the status of NETCONF over SSH\r\n\r\nTo determine whether NETCONF over SSH is configured, use the show running-config ssh server netconf CLI command. The following example shows the output on a device that has NETCONF over SSH enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the NetConf SSH server:\r\n\r\n\r\nRP/0/RP0/CPU0:Router#show running-config ssh server netconf\r\nWed Sep 9 16:00:00.000 UTC\r\nssh server netconf vrf mgmt ipv4 access-list NetConf_ACL_Ingress ipv6 access-list NetConf_ACL_Ingress\r\n\r\nRP/0/RP0/CPU0:Router#\r\n\r\nIf NETCONF over SSH is enabled and IP ACLs are applied to the NETCONF SSH service, the device is configured correctly.\r\n\r\nIf NETCONF over SSH is enabled but IP ACLs are not configured to protect the NETCONF SSH service, either add the ssh server netconf ipv4|ipv6 access-list \u003cname\u003e configuration or migrate to a fixed release to leverage Management Interface filtering support of NETCONF SSH.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nIOS Software\r\nIOS XE Software\r\nNX-OS Software",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "Cisco IOS XR Software Packet I/O infrastructure is used on all releases that are running on the following Cisco platforms (Native Packet I/O platforms):\r\n\r\n8000 Series Routers\r\nIOS XRd vRouters\r\nNCS 540 Series Routers (NCS540L base image)\r\nNCS 1010 Platforms1\r\nNCS 1014 Platforms1\r\nNCS 5700 Series Routers (NCS5700 base image)\r\n\r\n1. Cisco NCS 1010 and NCS 1014 Platforms consider traffic arriving over the software GigabitEthernet0/0/0/[0-3] interfaces as management traffic interfaces. So if ACLs are applied, they are subject to the same conditions as the mgmtEth interface.\r\n\r\nThe following platforms migrated to a Packet I/O infrastructure in the specified releases (Migrated Packet I/O platforms):\r\n\r\nASR 9000 Series Aggregation Services Routers \u2014 24.1.1 and later\r\nIOS XR White box (IOSXRWBD) \u2014 7.9.1 and later\r\nIOS XRv 9000 Routers \u2014 24.1.1 and later\r\nNCS 540 Series Routers \u2014 7.9.1 and later\r\nNCS 560 Series Routers \u2014 24.2.1 and later\r\nNCS 5500 Series Routers \u2014 7.9.1 and later\r\n\r\nWithin Cisco IOS XR Software Packet I/O infrastructure, an ACL that is applied to the management interface does not get enforced for any Linux applications. This includes gRPC, SSH (CiscoSSH), NETCONF, and customer-installed Linux applications.\r\n  Native Packet I/O Platforms\r\nThis section includes details for releases that do not support management interface ACLs.\r\n\r\ngRPC\r\n\r\nFiltering for the gRPC services should be done using Traffic Protection for Linux Networking. For more details, see the Best Practices with Traffic Protection [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#bestpractraffic\"] section of the Cisco IOS XR Software Hardening Guide.\r\n\r\nTraffic Protection for Linux Networking protects against inbound traffic that does not match established connections, not against outbound traffic.\r\n\r\nFiltering gRPC through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.2 and later and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo52518 [\"https://bst.cisco.com/bugsearch/bug/CSCwo52518\"].\r\n\r\nSSH and NETCONF over SSH\r\n\r\nThese platforms use CiscoSSH, which is handled in Linux Networking. Traffic Protection for Linux Networking does not cover CiscoSSH.\r\n\r\nTo filter out the ingress SSH and Netconf traffic, Cisco recommends configuring the ingress ACL under the SSH server configuration mode:\r\n\r\nFor SSH: ssh server vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name\r\nFor Netconf: ssh server netconf vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name\r\n\r\nFiltering SSH and Netconf over SSH through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.1 and later. This is documented in Cisco bug ID CSCwb70861 [\"https://bst.cisco.com/bugsearch/bug/CSCwb70861\"].\r\n\r\nFor Cisco IOS XR Software releases 25.1.1 and later, when configuring filtering on the management interface for SSH and NetConf traffic, administrators must configure ssh server packet-flow-netio ingress.\r\n  Migrated Packet I/O Platforms\r\ngRPC\r\n\r\nAfter a platform has migrated to a release that supports Packet I/O, filtering for the gRPC services should be done using the instructions in the Traffic Protection  [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux\"]for Linux Networking [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux\"] section of the Cisco IOS XR Software Hardening Guide.\r\n\r\nFiltering gRPC through an ingress ACL that is applied to the management interface on the platforms that are listed at the top of this section that migrated to Packet I/O infrastructure is supported from Cisco IOS XR Software releases 24.2.21 and later, releases 25.1.2 and later, and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo51041 [\"https://bst.cisco.com/bugsearch/bug/CSCwo51041\"].\r\n\r\nSSH and NETCONF over SSH\r\n\r\nAt the time of publication, the platforms that are listed at the top of this section use an SSH service that is not affected by the vulnerability that is described in this advisory.\r\n\r\nFiltering is supported either through the SSH server configuration mode or through an ingress management interface ACL.",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details [\"#details\"] section of this advisory.\r\n\r\nHowever, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC).\r\n\r\nWhile this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n      Fixed Releases\r\nAt the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n\r\nIn the following table, the left column lists Cisco software releases or trains. The middle and right columns indicate whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability.\r\n          Cisco Platform  First Fixed Release that Supports Management Interface ACLs \u2013 gRPC  First Fixed Release that Supports Management Interface ACLs \u2013 SSH and NETCONF          8000 Series Routers1  25.1.2\r\n25.2.1  25.1.1      ASR 9000 Series Aggregation Services Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      IOS XR White box (IOSXRWBD)  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      IOS XRd vRouters  25.1.2\r\n25.2.1  25.1.1      IOS XRv 9000 Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 540 Series Routers\r\n(NCS540-iosxr base image)  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 540 Series Routers\r\n(NCS540L-iosxr base image)  25.1.2\r\n25.2.1  25.1.1      NCS 560 Series Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 1010 Platforms  25.1.2\r\n25.2.1  25.1.1      NCS 1014 Platforms  25.1.2\r\n25.2.1  25.1.1      NCS 5500 Series Routers  24.2.21\r\n25.1.2\r\n25.2.1  Not affected      NCS 5700 Series Routers  25.1.2\r\n25.2.1  25.1.1\r\n1. In Cisco 8000 deployments that use dual route processors, the filtering on the standby route processor management interface is not correctly enforced. Customers who have dual route processors should migrate to Release 25.2.2, 25.4.1, or 26.1.1 when available to ensure filtering is correctly applied on both active and standby route processors. This is documented in Cisco bug ID CSCwq48170 [\"https://bst.cisco.com/bugsearch/bug/CSCwq48170\"].\r\nNo SMUs have been made available for this vulnerability because there are suitable alternative configurations that can be put in place to protect devices. Customers who want support for these protocols on a configured ACL on the management interface should upgrade to a fixed software release.\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "This vulnerability was found during the resolution of a Cisco TAC support case.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@cisco.com",
      "issuing_authority": "Cisco PSIRT",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz"
      },
      {
        "category": "external",
        "summary": "Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication",
        "url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Best Practices with Traffic Protection",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#bestpractraffic"
      },
      {
        "category": "external",
        "summary": "CSCwo52518",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwo52518"
      },
      {
        "category": "external",
        "summary": "CSCwb70861",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwb70861"
      },
      {
        "category": "external",
        "summary": "Traffic Protection",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/Cisco-IOS-XR-HardeningGuide#trafficthirdlinux"
      },
      {
        "category": "external",
        "summary": "CSCwo51041",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwo51041"
      },
      {
        "category": "external",
        "summary": "considering software upgrades",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
      },
      {
        "category": "external",
        "summary": "Cisco Security Advisories page",
        "url": "https://www.cisco.com/go/psirt"
      },
      {
        "category": "external",
        "summary": "CSCwq48170",
        "url": "https://bst.cisco.com/bugsearch/bug/CSCwq48170"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2025-09-10T16:00:00+00:00",
      "generator": {
        "date": "2025-09-10T15:54:48+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-acl-packetio-Swjhhbtz",
      "initial_release_date": "2025-09-10T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2025-09-10T15:54:38+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco IOS XR Software",
            "product": {
              "name": "Cisco IOS XR Software ",
              "product_id": "CSAFPID-5834"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20159",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwo51041"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwb70861"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwo52518"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCwq48170"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-5834"
        ]
      },
      "release_date": "2025-09-10T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-5834"
          ],
          "url": "https://software.cisco.com"
        },
        {
          "category": "workaround",
          "details": "There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details [\"#details\"] section of this advisory.\r\n\r\nHowever, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC).\r\n\r\nWhile this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
          "product_ids": [
            "CSAFPID-5834"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-5834"
          ]
        }
      ],
      "title": "Cisco IOS XR Software Management Interface ACL Bypass Vulnerability"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.