Cisco IOS XR Software Management Interface ACL Bypass Vulnerability – Source:sec.cloudapps.cisco.com

Medium

Summary

• A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.

  This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.

  For more information about this vulnerability, see the Details section of this advisory.

  Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz

  This advisory is part of the September 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication.

Affected Products

• At the time of publication, this vulnerability affected the following Cisco platforms and Cisco IOS XR Software releases if they had an IPv4 or IPv6 ACL attached to the management interface:

  Affected Cisco Platform	Affected Cisco IOS XR Software Releases
  8000 Series Routers	Software image earlier than the first fixed release
  ASR 9000 Series Aggregation Services Routers	Releases 24.1.1 and later but earlier than the first fixed release
  IOS XR White box (IOSXRWBD)	Releases 7.9.1 and later but earlier than the first fixed release
  IOS XRd vRouters	Software image earlier than the first fixed release
  IOS XRv 9000 Routers	Releases 24.1.1 and later but earlier than the first fixed release
  Network Convergence Series (NCS) 540 Series Routers (NCS540-iosxr base image)	Releases 7.9.1 and later but earlier than the first fixed release
  NCS 540 Series Routers (NCS540L-iosxr base image)	All releases earlier than the first fixed release
  NCS 560 Series Routers	Releases 24.2.1 and later but earlier than the first fixed release
  NCS 1010 Platforms	Software image earlier than the first fixed release
  NCS 1014 Platforms	Software image earlier than the first fixed release
  NCS 5500 Series Routers	Releases 7.9.1 and later but earlier than the first fixed release
  NCS 5700 Series Routers	NCS5700 base image earlier than the first fixed release

  For more information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

  Determine Whether a Configuration Is Vulnerable

  To determine whether a device from the preceding table has a vulnerable configuration, complete the following steps:

  Step 1: Determine whether there is an IP ACL

  To determine whether the device has an IP ACL on the management interface that is configured to block gRPC, SSH, or NETCONF over SSH, use the show running-config interface mgtEth value> CLI command. The following example shows the output on a device that has an IPv4 ACL configured on the management interface:

  RP/0/RP0/CPU0:Router#show running-config interface mgmtEth 0/RP0/CPU0/0 
  Wed Sep 9 16:00:00.000 UTC
  interface MgmtEth0/RP0/CPU0/0
  ipv4 address 10.10.10.10 255.255.255.0
  ipv4 access-group MGMT_ACL ingress
  !  RP/0/RP0/CPU0:Router# 

  Examine the contents of the MGMT_ACL. If it is configured to deny the ports that are configured for gRPC, SSH, or NETCONF over SSH, this is a match. Proceed to Step 2.

  Otherwise, the device is not affected. Stop here.

  Step 2: Determine the status of gRPC

  To determine whether gRPC is configured on a device, use the show running-config grpc CLI command. The following example shows the output on a device that has gRPC enabled and configured:

  RP/0/RP0/CPU0:Router# show running-config grpc
  Wed Sep 9 16:00:00.000 UTC
  grpc
  port 57400
  !
  RP/0/RP0/CPU0:Router#

  If gRPC is enabled, use the show running-config linux networking CLI command to determine whether Traffic Protection for Linux Networking is configured. The following example shows the output on a device that allows gRPC only from a single remote subnet on a single local interface:

  RP/0/RP0/CPU0:Router# show running-config linux networking
  Wed Sep 9 16:00:00.000 UTC
  linux networking
   vrf default
    address-family ipv4
     protection
      protocol tcp local-port all default-action deny
      !
      protocol tcp local-port 57400 default-action deny
       permit remote-address 192.0.2.0/24 interface HundredGigE0/0/0/25
      !
     !
    !
  !
  RP/0/RP0/CPU0:Router#

  If gRPC is enabled and Traffic Protection is configured to protect the gRPC service, the device is configured correctly.

  If gRPC is enabled but Traffic Protection is not configured to protect the gRPC service, either configure Traffic Protection or migrate to a fixed release to leverage Management Interface filtering support of gRPC.

  Proceed to Step 3 only if evaluating the following Cisco products and releases:

  • 8000 Series Routers that are running an IOS XR image earlier than the first fixed release
  • NCS 540 Series Routers that are running an NCS540L-iosxr base image earlier than the first fixed release
  • NCS 5700 Series Routers that are running an NCS5700 base image earlier than the first fixed release

  Otherwise, stop here.

  Step 3: Determine the status of SSH

  To determine whether SSH is configured on a device, use the show running-config ssh CLI command. The following example shows the output on a device that has the SSH service enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the SSH server:

  RP/0/RP0/CPU0:Router#show running-config ssh
  Wed Sep 9 16:00:00.000 UTC
  ssh server v2 
  ssh server vrf mgmt ipv4 access-list SSH_ACL_Ingress ipv6 access-list SSH_ACL_Ingress
  RP/0/RP0/CPU0:Router#

  If SSH is enabled and IP ACLs are applied to the SSH service, the device is configured correctly.

  If SSH is enabled but IP ACLs are not configured to protect the SSH service, either add the ssh server ipv4|ipv6 access-list configuration or migrate to a fixed release to leverage Management Interface filtering support of SSH.

  Proceed to Step 4.

  Step 4: Determine the status of NETCONF over SSH

  To determine whether NETCONF over SSH is configured, use the show running-config ssh server netconf CLI command. The following example shows the output on a device that has NETCONF over SSH enabled and configured. In this example, the device has both an IPv4 ACL and an IPv6 ACL configured against the NetConf SSH server:

  RP/0/RP0/CPU0:Router#show running-config ssh server netconf
  Wed Sep 9 16:00:00.000 UTC
  ssh server netconf vrf mgmt ipv4 access-list NetConf_ACL_Ingress ipv6 access-list NetConf_ACL_Ingress
  RP/0/RP0/CPU0:Router#

  If NETCONF over SSH is enabled and IP ACLs are applied to the NETCONF SSH service, the device is configured correctly.

  If NETCONF over SSH is enabled but IP ACLs are not configured to protect the NETCONF SSH service, either add the ssh server netconf ipv4|ipv6 access-list configuration or migrate to a fixed release to leverage Management Interface filtering support of NETCONF SSH.

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

  Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • IOS Software
  • IOS XE Software
  • NX-OS Software

Details

• Cisco IOS XR Software Packet I/O infrastructure is used on all releases that are running on the following Cisco platforms (Native Packet I/O platforms):

  • 8000 Series Routers
  • IOS XRd vRouters
  • NCS 540 Series Routers (NCS540L base image)
  • NCS 1010 Platforms¹
  • NCS 1014 Platforms¹
  • NCS 5700 Series Routers (NCS5700 base image)

  1. Cisco NCS 1010 and NCS 1014 Platforms consider traffic arriving over the software GigabitEthernet0/0/0/[0-3] interfaces as management traffic interfaces. So if ACLs are applied, they are subject to the same conditions as the mgmtEth interface.

  The following platforms migrated to a Packet I/O infrastructure in the specified releases (Migrated Packet I/O platforms):

  • ASR 9000 Series Aggregation Services Routers – 24.1.1 and later
  • IOS XR White box (IOSXRWBD) – 7.9.1 and later
  • IOS XRv 9000 Routers – 24.1.1 and later
  • NCS 540 Series Routers – 7.9.1 and later
  • NCS 560 Series Routers – 24.2.1 and later
  • NCS 5500 Series Routers – 7.9.1 and later

  Within Cisco IOS XR Software Packet I/O infrastructure, an ACL that is applied to the management interface does not get enforced for any Linux applications. This includes gRPC, SSH (CiscoSSH), NETCONF, and customer-installed Linux applications.

  Native Packet I/O Platforms

  This section includes details for releases that do not support management interface ACLs.

  gRPC

  Filtering for the gRPC services should be done using Traffic Protection for Linux Networking. For more details, see the Best Practices with Traffic Protection section of the Cisco IOS XR Software Hardening Guide.

  Traffic Protection for Linux Networking protects against inbound traffic that does not match established connections, not against outbound traffic.

  Filtering gRPC through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.2 and later and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo52518.

  SSH and NETCONF over SSH

  These platforms use CiscoSSH, which is handled in Linux Networking. Traffic Protection for Linux Networking does not cover CiscoSSH.

  To filter out the ingress SSH and Netconf traffic, Cisco recommends configuring the ingress ACL under the SSH server configuration mode:

  • For SSH: ssh server vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name
  • For Netconf: ssh server netconf vrf vrf-name ipv4 access-list ipv4-access-list-name ipv6 access-list ipv6-access-list-name

  Filtering SSH and Netconf over SSH through an ingress management interface ACL is supported only from Cisco IOS XR Software releases 25.1.1 and later. This is documented in Cisco bug ID CSCwb70861.

  For Cisco IOS XR Software releases 25.1.1 and later, when configuring filtering on the management interface for SSH and NetConf traffic, administrators must configure ssh server packet-flow-netio ingress.

  Migrated Packet I/O Platforms

  gRPC

  After a platform has migrated to a release that supports Packet I/O, filtering for the gRPC services should be done using the instructions in the Traffic Protection for Linux Networking section of the Cisco IOS XR Software Hardening Guide.

  Filtering gRPC through an ingress ACL that is applied to the management interface on the platforms that are listed at the top of this section that migrated to Packet I/O infrastructure is supported from Cisco IOS XR Software releases 24.2.21 and later, releases 25.1.2 and later, and releases 25.2.1 and later. This is documented in Cisco bug ID CSCwo51041.

  SSH and NETCONF over SSH

  At the time of publication, the platforms that are listed at the top of this section use an SSH service that is not affected by the vulnerability that is described in this advisory.

  Filtering is supported either through the SSH server configuration mode or through an ingress management interface ACL.

Workarounds

• There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers need to migrate to a fixed release that introduces support for this feature. For more information about the platforms and the types of filtering to apply to the affected protocols to ensure that devices are properly protected from unauthorized access, see the Details section of this advisory.

  However, a workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact the Cisco Technical Assistance Center (TAC).

  While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

• When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Fixed Releases

  At the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

  In the following table, the left column lists Cisco software releases or trains. The middle and right columns indicate whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability.

  Cisco Platform	First Fixed Release that Supports Management Interface ACLs – gRPC	First Fixed Release that Supports Management Interface ACLs – SSH and NETCONF
  8000 Series Routers1	25.1.2 25.2.1	25.1.1
  ASR 9000 Series Aggregation Services Routers	24.2.21 25.1.2 25.2.1	Not affected
  IOS XR White box (IOSXRWBD)	24.2.21 25.1.2 25.2.1	Not affected
  IOS XRd vRouters	25.1.2 25.2.1	25.1.1
  IOS XRv 9000 Routers	24.2.21 25.1.2 25.2.1	Not affected
  NCS 540 Series Routers (NCS540-iosxr base image)	24.2.21 25.1.2 25.2.1	Not affected
  NCS 540 Series Routers (NCS540L-iosxr base image)	25.1.2 25.2.1	25.1.1
  NCS 560 Series Routers	24.2.21 25.1.2 25.2.1	Not affected
  NCS 1010 Platforms	25.1.2 25.2.1	25.1.1
  NCS 1014 Platforms	25.1.2 25.2.1	25.1.1
  NCS 5500 Series Routers	24.2.21 25.1.2 25.2.1	Not affected
  NCS 5700 Series Routers	25.1.2 25.2.1	25.1.1

  1. In Cisco 8000 deployments that use dual route processors, the filtering on the standby route processor management interface is not correctly enforced. Customers who have dual route processors should migrate to Release 25.2.2, 25.4.1, or 26.1.1 when available to ensure filtering is correctly applied on both active and standby route processors. This is documented in Cisco bug ID CSCwq48170.

  No SMUs have been made available for this vulnerability because there are suitable alternative configurations that can be put in place to protect devices. Customers who want support for these protocols on a configured ACL on the management interface should upgrade to a fixed software release.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during the resolution of a Cisco TAC support case.

Cisco Security Vulnerability Policy

• To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

• Subscribe

Related to This Advisory

• Cisco Event Response: September 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	–	Final	2025-SEP-10

  Show Less

Feedback

• Leave additional feedback