CVE-2009-2055

MEDIUM KEV

Cisco IOS XR 3.4.0-3.8.1 - Denial of Service via Invalid BGP UPDATE Attribute

Title source: llm

Exploitation Summary

CVE-2009-2055 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022.

Description

Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid attribute, as demonstrated in the wild on 17 August 2009.

References (4)

Core 4

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-2055

Mailing List mailing-list x_refsource_mlist

http://mailman.nanog.org/pipermail/nanog/2009-August/012719.html

Broken Link vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1022739

Patch, Vendor Advisory vendor-advisory x_refsource_cisco

http://www.cisco.com/en/US/products/products_security_advisory09186a0080af150f.shtml

Scores

CVSS v3 5.9

EPSS 0.0077

EPSS Percentile 74.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2022-03-25

VulnCheck KEV 2022-03-25

InTheWild.io 2009-08-21

ENISA EUVD EUVD-2009-2051

CWE

CWE-20

Status published

Products (19)

cisco/ios_xr 3.4

cisco/ios_xr 3.4.0

cisco/ios_xr 3.4.1

cisco/ios_xr 3.4.2

cisco/ios_xr 3.4.3

cisco/ios_xr 3.5

cisco/ios_xr 3.5.2

cisco/ios_xr 3.5.3

cisco/ios_xr 3.5.4

cisco/ios_xr 3.6.0

... and 9 more

Published Aug 19, 2009

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026