Cisco IOS, IOS XE, and IOS XR Software TWAMP Denial of Service Vulnerability – Source:sec.cloudapps.cisco.com

May 12, 2025
Post Author / Publisher: Cisco Security Blog

CISO2CISO post categories: 'Cyber, 1 - Cyber Security News Post, Cisco, Cisco Security Blog, Cisco Security Blog, Cyber Security News, Cyber Security News, rss-feed-post-generator-echo, rss-feeds-Autogenerated

Rate this post

Source: sec.cloudapps.cisco.com – Author: .

Cisco IOS, IOS XE, and IOS XR Software TWAMP Denial of Service Vulnerability

High

CVE-2025-20154

CWE-20

Download CSAF

Summary

A vulnerability in the Two-Way Active Measurement Protocol (TWAMP) server feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. For Cisco IOS XR Software, this vulnerability could cause the ipsla_ippm_server process to reload unexpectedly if debugs are enabled.

This vulnerability is due to out-of-bounds array access when processing specially crafted TWAMP control packets. An attacker could exploit this vulnerability by sending crafted TWAMP control packets to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Note: For Cisco IOS XR Software, only the ipsla_ippm_server process reloads unexpectedly and only when debugs are enabled. The vulnerability details for Cisco IOS XR Software are as follows:

Security Impact Rating (SIR): Low
CVSS Base Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn

This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Affected Products

This vulnerability affects the following Cisco products if they have the TWAMP server feature enabled:
- IOS Software is affected with or without debugs enabled.
- IOS XE Software
  - Releases 16.6.1 through 17.2.3 are affected only if the debug command debug ip sla trace twamp connection is active.
  - All other releases (up to the first fixed release) do not require debugs to be enabled to be affected by this vulnerability.
- IOS XR Software is affected only if the debug command debug ipsla trace twamp connection is active.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

Determine the TWAMP Server Configuration

Cisco IOS and Cisco IOS XE Software

To determine whether the TWAMP server is enabled on a device, use the show running-config | include ip sla server twamp CLI command. If the TWAMP server feature is enabled, the device is affected by this vulnerability.

The following example shows the output for a device that has the TWAMP server enabled:
```
Router#show running-config | include ip sla server twamp
ip sla server twamp
Router#
```
If the command returns no output or an error, the device is not affected.

To determine whether the TWAMP debugs are enabled on a device that is running Cisco IOS XE Software, use the show debug | include TWAMP Server Connection TRACE CLI command.

The following example shows the output for a device that has the IP SLA debugs enabled:
```
Router#show debug | include TWAMP Server Connection TRACE
IPPM TWAMP Server Connection TRACE debug all
Router#
```
If the command returns no output or an error, the device does not have the debugs enabled.

Cisco IOS XR Software

To determine whether the TWAMP server is enabled on a device, use the show running-config ipsla server twamp CLI command. If the TWAMP server feature is enabled, the device is affected by this vulnerability.

The following example shows the output for a device that has the IP SLA responder enabled:
```
RP/0/RP0/CPU0:IOSXR# show running-config ipsla server twamp
 ipsla
 server twamp
 !
RP/0/RP0/CPU0:IOSXR#
```
If the command returns no output or an error, the device is not affected.

To determine whether the TWAMP debugs are enabled on a device, use the show debug | include ipsla trace twamp connection CLI command. If the TWAMP server feature is configured and the device has the debugs enabled, the device is affected by this vulnerability.

The following example shows the output for a device that has the IP SLA debugs enabled:
```
RP/0/RP0/CPU0:IOSXR#show debug | include ipsla trace twamp connection
Wed Mar 26 16:00:00.000 UTC
ipsla trace twamp connection flag is ON with value 0
RP/0/RP0/CPU0:IOSXR#
```
If the command returns no output or an error, the device does not have the debugs enabled.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Meraki products
- NX-OS Software

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

In the following table, the left column lists Cisco software releases or trains. The right column indicates whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability.

Cisco IOS XR Software Release First Fixed Release

24.2 and earlier Migrate to a fixed release.

24.3 24.3.2

24.4.1 and later Not affected.

Note: Due to the nature of the fix required, Cisco is unable to develop an SMU to address this vulnerability. A software upgrade is required.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Cisco IOS and IOS XE Software

To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).

To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to determine whether a release is affected by any Cisco Security Advisory. To use the form, follow these steps:
1. Choose which advisories the tool will search-only this advisory, only advisories with a Critical or High Security Impact Rating (SIR), or all advisories.
2. Enter a release number-for example, 15.9(3)M2 or 17.3.3.
3. Click Check.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Related to This Advisory

Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

URL

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn

Revision History

Version Description Section Status Date

1.0 Initial public release. – Final 2025-MAY-07

Show Less

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Feedback

Leave additional feedback

Original Post url: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20IOS,%20IOS%20XE,%20and%20IOS%20XR%20Software%20TWAMP%20Denial%20of%20Service%20Vulnerability%26vs_k=1

Category & Tags: –