Vulnerability in Cisco IOS XR Software Allows Unauthorized Software Loading
CVE-2025-20143

6.7MEDIUM

Key Information:

Vendor
Cisco
Vendor
CVE Published:
12 March 2025

Badges

👾 Exploit Exists

Summary

A vulnerability exists in the boot process of Cisco IOS XR Software that enables an authenticated user with elevated privileges to circumvent the Secure Boot mechanism and load unverified software onto affected devices. This issue arises due to inadequate verification of modules during the software load process. An attacker could leverage this flaw to manipulate binaries, effectively bypassing certain integrity checks enforced during boot. Exploiting this vulnerability allows an attacker to take control of the boot configuration, which could lead to the ability to run Cisco unsigned images or modify the security characteristics of the operating system. Cisco has issued software updates to remediate this vulnerability, with no available workarounds.

Affected Version(s)

Cisco IOS XR Software 6.5.3

Cisco IOS XR Software 6.5.2

Cisco IOS XR Software 6.5.92

References

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.