Vulnslist

find the latest Cisco vulnerabilities

Cisco IOS XR Software Hybrid Access Control List Bypass Vulnerability

cisco-sa-ncs-hybridacl-crMZFfKQ · Medium · Published · Updated

A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect handling of packets when a specific configuration of the hybrid ACL exists. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass a configured ACL on the affected device. For more information, see the Details section of this advisory. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs-hybridacl-crMZFfKQ This advisory is part of the March 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication.

Cisco advisory ·CSAF JSON

Workarounds

There is a workaround that addresses this vulnerability.

Examine the object groups that make up the ACL. If the same IPv4 source or destination or both appear more than 31 times in object groups that comprise the ACL, remove access control entries until there are 31 or fewer entries of the same IPv4 address in both the source and destination entries.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2025-20144
Cisco Bug IDsCSCwi49569
CVSS ScoreBase 4.0
Base 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco IOS XR Software, Cisco IOS

CSAF Product Statuses

Product Status Source CVE Rows
Cisco IOS XR Software known_affected cisco_csaf CVE-2025-20144 1

Related Products

Product CVE Evidence
Cisco IOS XR Software CVE-2025-20144 Cisco OpenVuln
Cisco IOS CVE-2025-20144 Cisco OpenVuln
Cisco IOS Software CVE-2025-20144 Cisco OpenVuln