Zero-day vulnerability in Cisco IOS XR

Improper input validation

Not patched

Vulnerability details

Advisory: SB20016052601 - Remote denial of service in Cisco IOS

Vulnerable component: Cisco IOS XR

CVE-ID: CVE-2016-1409

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:U/RC:C

CWE-ID: CWE-20 - Improper Input Validation


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a logic error when parsing IPv6 Neighbor Discovery (ND) packets, sent directly to the device. A remote attacker can send specially crafted IPv6 traffic to the affected device and cause the device to stop processing IPv6 traffic.

Successful exploitation of the vulnerability will result in denial of service attack.

Note: according to Cisco, this vulnerability is being exploited in the wild.