CVE-2025-20189

CVE-2025-20189 is a high-severity vulnerability in Cisco Ios Xe with a CVSS 3.x base score of 7.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-762.

Key facts

Description

A vulnerability in the Cisco Express Forwarding functionality of Cisco IOS XE Software for Cisco ASR 903 Aggregation Services Routers with Route Switch Processor 3 (RSP3C) could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition. This vulnerability is due to improper memory management when Cisco IOS XE Software is processing Address Resolution Protocol (ARP) messages. An attacker could exploit this vulnerability by sending crafted ARP messages at a high rate over a period of time to an affected device. A successful exploit could allow the attacker to exhaust system resources, which eventually triggers a reload of the active route switch processor (RSP). If a redundant RSP is not present, the router reloads.

Frequently asked questions

What is CVE-2025-20189?
A vulnerability in the Cisco Express Forwarding functionality of Cisco IOS XE Software for Cisco ASR 903 Aggregation Services Routers with Route Switch Processor 3 (RSP3C) could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition. This vulnerability is due to improper memory management when Cisco IOS XE Software is processing Address Resolution Protocol (ARP) messages. An attacker could exploit this vulnerability by sending crafted ARP messages at a high rate over a period of time to an affected device. A successful exploit could allow the attacker to exhaust system resources, which eventually triggers a reload of the active route switch processor (RSP). If a redundant RSP is not present, the router reloads.
How severe is CVE-2025-20189?
CVE-2025-20189 has a CVSS 3.x base score of 7.4, rated high severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2025-20189 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (10th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-20189?
CVE-2025-20189 primarily affects Cisco Ios Xe. In total, 266 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2025-20189?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2025-20189 have an EU (EUVD) identifier?
Yes. CVE-2025-20189 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-13902.
When was CVE-2025-20189 published?
CVE-2025-20189 was published on 2025-05-07 and last updated on 2026-06-17.

References

Affected products (266)

More vulnerabilities in Cisco Ios Xe

All CVEs affecting Cisco Ios Xe →

Other CWE-762 vulnerabilities

Browse all CWE-762 vulnerabilities →