{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ios-xe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco IOS","Cisco IOS XE"],"_cs_severities":["medium"],"_cs_tags":["cisco","ios","ios-xe","dos","CVE-2026-20125"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco IOS and IOS XE Software are vulnerable to a denial-of-service condition due to improper validation of user-supplied input within the HTTP Server feature. This vulnerability, identified as CVE-2026-20125, affects devices running specific releases of Cisco IOS Software and Cisco IOS XE Software. An authenticated, remote attacker can exploit this vulnerability by sending malformed HTTP requests to a vulnerable device. Successful exploitation leads to a watchdog timer expiration, causing the device to reload unexpectedly. To exploit this vulnerability, the attacker must possess a valid user account on the targeted Cisco device. This issue was reported on 2026-03-25.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid user credentials for a Cisco IOS or IOS XE device. This could be achieved through social engineering, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the HTTP Server feature on the targeted device via HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a series of malformed HTTP requests designed to exploit the input validation vulnerability.\u003c/li\u003e\n\u003cli\u003eThese malformed requests are sent to the device. The specific nature of the malformed requests is not detailed in the source but could involve exceeding expected input lengths, using unexpected characters, or other forms of invalid data.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper input validation, the device processes the malformed requests, leading to an internal error.\u003c/li\u003e\n\u003cli\u003eThe error causes the watchdog timer on the device to expire.\u003c/li\u003e\n\u003cli\u003eUpon watchdog timer expiration, the device initiates a reload sequence.\u003c/li\u003e\n\u003cli\u003eThe device reloads, resulting in a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20125 results in a denial-of-service condition, rendering the affected Cisco device unavailable. The scope of the impact depends on the role of the device within the network. If the device is a critical router or switch, the outage could disrupt network connectivity for a large number of users or services. The severity of the impact also depends on how quickly the device can be restored to normal operation. The vulnerability requires an authenticated attacker, limiting the scope of potential attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the appropriate patch or upgrade to a version of Cisco IOS or IOS XE Software that resolves CVE-2026-20125. Refer to the Cisco advisory for specific details on affected versions and recommended fixes.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTP requests targeting Cisco IOS or IOS XE devices (see the \u0026quot;Detect Malformed HTTP Requests to Cisco Devices\u0026quot; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to reduce the risk of unauthorized access to Cisco devices, as exploitation requires a valid user account.\u003c/li\u003e\n\u003cli\u003eReview logs for unexpected device reloads, which could be indicative of successful exploitation (see the \u0026quot;Cisco Device Reload Detection\u0026quot; Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-cisco-ios-xe-dos/","summary":"CVE-2026-20125 allows an authenticated, remote attacker to cause a denial of service by sending malformed HTTP requests to a Cisco IOS or IOS XE device, triggering a device reload.","title":"Cisco IOS and IOS XE HTTP Server Denial-of-Service Vulnerability (CVE-2026-20125)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-cisco-ios-xe-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco IOS XE Software"],"_cs_severities":["high"],"_cs_tags":["cisco","ios xe","tls","denial of service","memory exhaustion"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCVE-2026-20004 is a critical vulnerability affecting the TLS library within Cisco IOS XE Software. An unauthenticated attacker positioned adjacent to a vulnerable device can exploit this flaw to exhaust the device's available memory. This vulnerability arises from improper management of memory resources during the establishment of TLS connections. The attack can be initiated in multiple ways, including but not limited to, repeated attempts at Extensible Authentication Protocol (EAP) authentication when local EAP is active. Another attack vector involves a machine-in-the-middle (MitM) approach, where TLS connections are reset between the affected Cisco device and other network entities. Successful exploitation leads to complete memory exhaustion, forcing an unexpected device reload and a subsequent denial-of-service (DoS) condition. This can impact network availability and critical services relying on the affected Cisco device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes network adjacency to the target Cisco IOS XE device.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a series of TLS connection requests to the target device.\u003c/li\u003e\n\u003cli\u003eIf local EAP is enabled, the attacker repeatedly attempts EAP authentication, triggering memory allocation on each attempt.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker performs a Machine-in-the-Middle (MitM) attack to intercept and reset existing TLS connections between the target device and other devices.\u003c/li\u003e\n\u003cli\u003eThe target device improperly manages memory resources during each TLS connection setup (either through EAP or MitM reset), leading to increasing memory consumption.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to send TLS connection requests or reset existing connections, further exhausting the device's memory.\u003c/li\u003e\n\u003cli\u003eThe available memory on the affected device is completely depleted due to the continuous allocation.\u003c/li\u003e\n\u003cli\u003eThe device experiences an unexpected reload, resulting in a denial-of-service condition, disrupting network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20004 can lead to a complete denial of service on the affected Cisco IOS XE device. This can disrupt network operations, causing downtime and impacting critical services. The severity is amplified as it can be triggered by an unauthenticated, adjacent attacker. The number of potential victims depends on the number of Cisco IOS XE devices running vulnerable software versions with exposed TLS services. The impact extends to any organization relying on these devices for network connectivity and service delivery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Cisco IOS XE Software to a version that addresses CVE-2026-20004 as soon as possible, as documented in the Cisco security advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious TLS connection patterns, particularly repeated connection attempts from the same adjacent source (using network_connection logs and creating custom rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of Cisco IOS XE devices to adjacent networks where potential attackers may reside.\u003c/li\u003e\n\u003cli\u003eConsider disabling local EAP if it is not required, to mitigate the risk of exploitation via repeated EAP authentication attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-ios-xe-tls-dos/","summary":"CVE-2026-20004 is a vulnerability in the TLS library of Cisco IOS XE Software that allows an unauthenticated, adjacent attacker to exhaust device memory, leading to denial of service.","title":"Cisco IOS XE Software TLS Memory Exhaustion Vulnerability (CVE-2026-20004)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-ios-xe-tls-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Ios Xe","version":"https://jsonfeed.org/version/1.1"}