Summary

• A vulnerability in the Two-Way Active Measurement Protocol (TWAMP) server feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. For Cisco IOS XR Software, this vulnerability could cause the ipsla_ippm_server process to reload unexpectedly if debugs are enabled.

  This vulnerability is due to out-of-bounds array access when processing specially crafted TWAMP control packets. An attacker could exploit this vulnerability by sending crafted TWAMP control packets to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

  Note: For Cisco IOS XR Software, only the ipsla_ippm_server process reloads unexpectedly and only when debugs are enabled. The vulnerability details for Cisco IOS XR Software are as follows:
  
  Security Impact Rating (SIR): Low
  CVSS Base Score: 3.7
  CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn

  This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Affected Products

• Vulnerable Products

  This vulnerability affects the following Cisco products if they have the TWAMP server feature enabled:

  • IOS Software is affected with or without debugs enabled.
  • IOS XE Software
    
    • Releases 16.6.1 through 17.2.3 are affected only if the debug command debug ip sla trace twamp connection is active.
    • All other releases (up to the first fixed release) do not require debugs to be enabled to be affected by this vulnerability.
  • IOS XR Software is affected only if the debug command debug ipsla trace twamp connection is active.

  For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

  Determine the TWAMP Server Configuration

  Cisco IOS and Cisco IOS XE Software

  To determine whether the TWAMP server is enabled on a device, use the show running-config | include ip sla server twamp CLI command. If the TWAMP server feature is enabled, the device is affected by this vulnerability.

  The following example shows the output for a device that has the TWAMP server enabled:

  Router#show running-config | include ip sla server twamp
  ip sla server twamp
  Router#

  If the command returns no output or an error, the device is not affected.

  To determine whether the TWAMP debugs are enabled on a device that is running Cisco IOS XE Software, use the show debug | include TWAMP Server Connection TRACE CLI command.

  The following example shows the output for a device that has the IP SLA debugs enabled:

  Router#show debug | include TWAMP Server Connection TRACE
  IPPM TWAMP Server Connection TRACE debug all
  Router#

  If the command returns no output or an error, the device does not have the debugs enabled.

  Cisco IOS XR Software

  To determine whether the TWAMP server is enabled on a device, use the show running-config ipsla server twamp CLI command. If the TWAMP server feature is enabled, the device is affected by this vulnerability.

  The following example shows the output for a device that has the IP SLA responder enabled:

  RP/0/RP0/CPU0:IOSXR# show running-config ipsla server twamp
   ipsla
   server twamp
   !
  RP/0/RP0/CPU0:IOSXR#

  If the command returns no output or an error, the device is not affected.

  To determine whether the TWAMP debugs are enabled on a device, use the show debug | include ipsla trace twamp connection CLI command. If the TWAMP server feature is configured and the device has the debugs enabled, the device is affected by this vulnerability.

  The following example shows the output for a device that has the IP SLA debugs enabled:

  RP/0/RP0/CPU0:IOSXR#show debug | include ipsla trace twamp connection
  Wed Mar 26 16:00:00.000 UTC
  ipsla trace twamp connection flag is ON with value 0
  RP/0/RP0/CPU0:IOSXR#

  If the command returns no output or an error, the device does not have the debugs enabled.

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

  Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • Meraki products
  • NX-OS Software

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

  Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

  The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Customers Without Service Contracts

  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  Fixed Releases

  In the following table, the left column lists Cisco software releases or trains. The right column indicates whether a release (train) is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability.

  Cisco IOS XR Software Release	First Fixed Release
  24.2 and earlier	Migrate to a fixed release.
  24.3	24.3.2
  24.4.1 and later	Not affected.

  Note: Due to the nature of the fix required, Cisco is unable to develop an SMU to address this vulnerability. A software upgrade is required.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

  Cisco IOS and IOS XE Software

  To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).

  To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to determine whether a release is affected by any Cisco Security Advisory. To use the form, follow these steps:

  1. Choose which advisories the tool will search-only this advisory, only advisories with a Critical or High Security Impact Rating (SIR), or all advisories.
  2. Enter a release number-for example, 15.9(3)M2 or 17.3.3.
  3. Click Check.

  
  

  Only this advisory All Critical and High advisories All advisories

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during internal security testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-twamp-kV4FHugn

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	-	Final	2025-MAY-07

  Show Less