<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cisco IOS XE Software - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cisco-ios-xe-software/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cisco-ios-xe-software/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco IOS XE DHCP Snooping BOOTP VLAN Leakage DoS (CVE-2026-20084)</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-dhcp-snooping-dos/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-dhcp-snooping-dos/</guid><description>CVE-2026-20084 describes a vulnerability in Cisco IOS XE DHCP snooping where an unauthenticated remote attacker can cause a denial-of-service by forwarding BOOTP packets between VLANs, leading to high CPU utilization on affected Cisco Catalyst 9000 Series Switches.</description><content:encoded><![CDATA[<p>CVE-2026-20084 is a vulnerability affecting the DHCP snooping feature within Cisco IOS XE Software, specifically impacting Cisco Catalyst 9000 Series Switches. This vulnerability allows an unauthenticated, remote attacker to exploit improper handling of BOOTP packets. By sending either unicast or broadcast BOOTP request packets, an attacker can trigger the forwarding of BOOTP packets between different VLANs. This cross-VLAN forwarding, or &quot;BOOTP VLAN leakage,&quot; can result in elevated CPU utilization, rendering the device unreachable through console or remote management interfaces. The ultimate impact is a denial-of-service (DoS) condition, preventing the affected switch from forwarding network traffic and disrupting network services. The vulnerability stems from how the Cisco IOS XE software processes BOOTP packets when DHCP snooping is enabled.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Cisco Catalyst 9000 Series Switch running Cisco IOS XE with DHCP snooping enabled.</li>
<li>The attacker crafts a malicious BOOTP request packet. This packet can be either a unicast or broadcast BOOTP request.</li>
<li>The attacker sends the malicious BOOTP request packet to the targeted switch.</li>
<li>The vulnerable DHCP snooping feature improperly processes the BOOTP request.</li>
<li>Due to the improper handling, the switch forwards the BOOTP packet to an unintended VLAN.</li>
<li>This BOOTP VLAN leakage contributes to increased CPU utilization on the switch.</li>
<li>The high CPU utilization degrades the switch's performance, impacting its ability to forward network traffic.</li>
<li>The switch becomes unresponsive, leading to a denial-of-service condition, disrupting network services for connected devices.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-20084 leads to a denial-of-service condition on affected Cisco Catalyst 9000 Series Switches. This DoS can disrupt network services, causing connectivity issues for users and applications relying on the compromised switch. The high CPU utilization makes the device unreachable for management, complicating recovery efforts. While the exact number of potential victims is unknown, any organization using vulnerable Cisco Catalyst 9000 Series Switches is at risk. The network downtime caused by this vulnerability can lead to financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor network traffic for unusual BOOTP packet activity, specifically looking for packets being forwarded between VLANs, using a network intrusion detection system (IDS) and the <code>network_connection</code> log source.</li>
<li>Deploy the Sigma rule provided to detect BOOTP packets being forwarded between VLANs, and tune the rule for your specific environment.</li>
<li>Implement workarounds provided by Cisco to mitigate the vulnerability until a patch can be applied (reference the Cisco advisory for specific workaround details).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-20084</category><category>dhcp-snooping</category><category>bootp</category><category>denial-of-service</category><category>cisco</category></item><item><title>Cisco IOS XE Software TLS Memory Exhaustion Vulnerability (CVE-2026-20004)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-ios-xe-tls-dos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-ios-xe-tls-dos/</guid><description>CVE-2026-20004 is a vulnerability in the TLS library of Cisco IOS XE Software that allows an unauthenticated, adjacent attacker to exhaust device memory, leading to denial of service.</description><content:encoded><![CDATA[<p>CVE-2026-20004 is a critical vulnerability affecting the TLS library within Cisco IOS XE Software. An unauthenticated attacker positioned adjacent to a vulnerable device can exploit this flaw to exhaust the device's available memory. This vulnerability arises from improper management of memory resources during the establishment of TLS connections. The attack can be initiated in multiple ways, including but not limited to, repeated attempts at Extensible Authentication Protocol (EAP) authentication when local EAP is active. Another attack vector involves a machine-in-the-middle (MitM) approach, where TLS connections are reset between the affected Cisco device and other network entities. Successful exploitation leads to complete memory exhaustion, forcing an unexpected device reload and a subsequent denial-of-service (DoS) condition. This can impact network availability and critical services relying on the affected Cisco device.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker establishes network adjacency to the target Cisco IOS XE device.</li>
<li>Attacker initiates a series of TLS connection requests to the target device.</li>
<li>If local EAP is enabled, the attacker repeatedly attempts EAP authentication, triggering memory allocation on each attempt.</li>
<li>Alternatively, the attacker performs a Machine-in-the-Middle (MitM) attack to intercept and reset existing TLS connections between the target device and other devices.</li>
<li>The target device improperly manages memory resources during each TLS connection setup (either through EAP or MitM reset), leading to increasing memory consumption.</li>
<li>The attacker continues to send TLS connection requests or reset existing connections, further exhausting the device's memory.</li>
<li>The available memory on the affected device is completely depleted due to the continuous allocation.</li>
<li>The device experiences an unexpected reload, resulting in a denial-of-service condition, disrupting network services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-20004 can lead to a complete denial of service on the affected Cisco IOS XE device. This can disrupt network operations, causing downtime and impacting critical services. The severity is amplified as it can be triggered by an unauthenticated, adjacent attacker. The number of potential victims depends on the number of Cisco IOS XE devices running vulnerable software versions with exposed TLS services. The impact extends to any organization relying on these devices for network connectivity and service delivery.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Cisco IOS XE Software to a version that addresses CVE-2026-20004 as soon as possible, as documented in the Cisco security advisory.</li>
<li>Monitor network traffic for suspicious TLS connection patterns, particularly repeated connection attempts from the same adjacent source (using network_connection logs and creating custom rules).</li>
<li>Implement network segmentation to limit the exposure of Cisco IOS XE devices to adjacent networks where potential attackers may reside.</li>
<li>Consider disabling local EAP if it is not required, to mitigate the risk of exploitation via repeated EAP authentication attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco</category><category>ios xe</category><category>tls</category><category>denial of service</category><category>memory exhaustion</category></item><item><title>Cisco IKEv2 Memory Leak Vulnerability (CVE-2026-20012)</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-ikev2-dos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-ikev2-dos/</guid><description>CVE-2026-20012 is a vulnerability in the IKEv2 feature of multiple Cisco products that allows an unauthenticated remote attacker to cause a denial of service by sending crafted IKEv2 packets leading to memory exhaustion.</description><content:encoded><![CDATA[<p>CVE-2026-20012 affects the Internet Key Exchange version 2 (IKEv2) implementation in Cisco IOS Software, Cisco IOS XE Software, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, and Cisco Secure Firewall Threat Defense (FTD) Software. Published in March 2026, the vulnerability stems from the improper parsing of IKEv2 packets. An unauthenticated, remote attacker can exploit this flaw by sending crafted IKEv2 packets to a vulnerable device. Successful exploitation leads to a memory leak, resulting in a denial-of-service (DoS) condition. For IOS and IOS XE Software, this manifests as a device reload, while ASA and FTD Software experience partial exhaustion of system memory, leading to instability and the inability to establish new IKEv2 VPN sessions. Recovery requires a manual reboot. This vulnerability poses a significant threat to network availability and security.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Cisco device running IKEv2.</li>
<li>The attacker crafts malicious IKEv2 packets designed to exploit the parsing vulnerability.</li>
<li>The attacker sends the crafted IKEv2 packets to the target device over UDP port 500 or 4500, the standard ports for IKEv2.</li>
<li>The vulnerable device improperly parses the malicious IKEv2 packets.</li>
<li>The improper parsing triggers a memory leak within the IKEv2 process.</li>
<li>The memory leak gradually consumes available system memory.</li>
<li>On Cisco IOS and IOS XE Software, the device reaches a critical memory threshold, causing a system reload and a DoS condition.</li>
<li>On Cisco ASA and FTD Software, the memory exhaustion leads to system instability, preventing the establishment of new IKEv2 VPN sessions and requiring a manual reboot to recover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploit of CVE-2026-20012 can lead to significant disruption of network services. Cisco IOS and IOS XE devices may experience complete outages due to device reloads, affecting all services reliant on those devices. Cisco ASA and FTD devices will suffer degraded performance and an inability to establish new VPN connections, impacting remote access and secure communication. The necessity of a manual reboot for recovery prolongs the downtime and requires administrative intervention. The vulnerability has a CVSS v3.1 base score of 8.6, highlighting its severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Cisco IOS Software and IOS XE Software to patched versions to prevent device reloads (Refer to Cisco advisory for specific versions and patch information).</li>
<li>Upgrade Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software to patched versions to prevent system instability and memory exhaustion (Refer to Cisco advisory for specific versions and patch information).</li>
<li>Monitor network traffic for suspicious IKEv2 packets originating from untrusted sources, focusing on unusual packet structures or sizes (Enable network connection logging and deploy the &quot;Detect Suspicious IKEv2 Traffic&quot; Sigma rule).</li>
<li>Implement rate limiting for IKEv2 traffic to mitigate the impact of potential exploits (Consult your Cisco device documentation for rate limiting configuration).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-20012</category><category>denial-of-service</category><category>cisco</category><category>ikev2</category></item></channel></rss>