Executive Summary

CVE-2025-20159 is a medium-severity vulnerability in Cisco IOS XR Software where the management interface access control lists (ACLs) do not properly enforce restrictions on Linux-handled features such as SSH, NetConf, and gRPC. This means an unauthenticated remote attacker can bypass these ACLs on the management interface and potentially send unauthorized traffic to the device. The root cause is that ACLs applied to the management interface are not supported or enforced for these protocols within the Packet I/O infrastructure, allowing attackers to circumvent intended access controls. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an unauthenticated remote attacker to bypass ingress ACLs on the management interface for SSH, NetConf, and gRPC services. As a result, the attacker could potentially gain unauthorized access or control over the affected Cisco IOS XR device by sending traffic that should have been blocked by the ACLs. This could lead to unauthorized configuration changes, data exposure, or disruption of network management functions. [1]

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability, check if IP ACLs are applied to the management interface blocking gRPC, SSH, or NetConf ports. Use the following commands to verify configurations: - `show running-config interface mgmtEth <value>` to check ACLs on the management interface. - `show running-config grpc` and `show running-config linux networking` to verify gRPC and Traffic Protection configurations. - `show running-config ssh` to verify SSH configuration and confirm IP ACLs applied to SSH service. - `show running-config ssh server netconf` to verify NetConf over SSH configuration and confirm IP ACLs applied. These commands help determine if the device is vulnerable due to missing ACL enforcement on Linux-handled features. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: - Upgrade affected Cisco IOS XR Software to fixed releases that support management interface ACL enforcement for SSH, NetConf, and gRPC. The fixed releases vary by platform but generally start from releases 25.1.1 or 25.1.2 and later. - For SSH and NetConf, configure ingress ACLs under SSH server configuration mode using commands such as `ssh server vrf <vrf-name> ipv4 access-list <acl-name>` and/or `ipv6 access-list <acl-name>`, and enable filtering with `ssh server packet-flow-netio ingress` on supported releases. - For gRPC, filtering is supported only from certain releases and requires Traffic Protection for Linux Networking. - If upgrading is not immediately possible, contact Cisco TAC for coordinated workaround implementation, understanding that workarounds may impact network functionality or performance. - Verify device compatibility and memory before upgrading and consult Cisco TAC for assistance. [1]

Useful 0 Not Useful 0