CVE-2025-20146

HIGH
Published Mar 12, 2025 Modified Aug 1, 2025 CWE-20

Description

A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of malformed IPv4 multicast packets that are received on line cards where the interface has either an IPv4 access control list (ACL) or a QoS policy applied. An attacker could exploit this vulnerability by sending crafted IPv4 multicast packets through an affected device. A successful exploit could allow the attacker to cause line card exceptions or a hard reset. Traffic over that line card would be lost while the line card reloads.

Is your site exposed to CVE-2025-20146?

Run a free security scan — no signup, results in seconds.

CVSS v3.1 Score

8.6
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Weakness Type (CWE)

CWE-20 Improper Input Validation

Affected Products

Vendor Product
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco ios_xr
cisco asr_9006
cisco asr_9010
cisco asr_9901
cisco asr_9902
cisco asr_9903
cisco asr_9904
cisco asr_9906
cisco asr_9910
cisco asr_9912
cisco asr_9922

References

Frequently Asked Questions

What is CVE-2025-20146? +
A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of malformed IPv4 multicast packets that are received on line cards where the interface has either an IPv4 access control list (ACL) or a QoS policy applied. An attacker could exploit this vulnerability by sending crafted IPv4 multicast packets through an affected device. A successful exploit could allow the attacker to cause line card exceptions or a hard reset. Traffic over that line card would be lost while the line card reloads. It has a CVSS v3.1 base score of 8.6 (HIGH).
How severe is CVE-2025-20146? +
CVE-2025-20146 has a CVSS v3.1 score of 8.6 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2025-20146? +
CVE-2025-20146 affects products from cisco, specifically: asr_9006, asr_9010, asr_9901, asr_9902, asr_9903, asr_9904, asr_9906, asr_9910, asr_9912, asr_9922, ios_xr. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-20146? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-20146 — free, no signup required.