Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services Routers Network Isolation Vulnerability
Description
Cisco ASR 9000 sysadmin VM fails to isolate secondary management interface, allowing unauthenticated remote access to internal apps and DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco ASR 9000 sysadmin VM fails to isolate secondary management interface, allowing unauthenticated remote access to internal apps and DoS.
Vulnerability
The sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software fails to properly isolate the secondary management interface from internal sysadmin applications. This vulnerability is due to incorrect network isolation, allowing the management interface to access internal services. Affected versions include all releases prior to 6.5.3 and 7.0.1 [1].
Exploitation
An unauthenticated, remote attacker can exploit this vulnerability by connecting to the secondary management interface and then accessing one of the listening internal applications on the sysadmin VM. No authentication or user interaction is required; the attacker only needs network access to the management interface [1].
Impact
Successful exploitation results in unstable conditions, including both a denial of service (DoS) and remote unauthenticated access to the device. The attacker gains the ability to access internal applications without authentication, potentially leading to further compromise [1].
Mitigation
Cisco has fixed this vulnerability in IOS XR 64-bit Software Release 6.5.3 and 7.0.1. The fix modifies the calvados_boostrap.cfg file and requires a device reload. No workarounds are available. Customers should upgrade to a fixed release [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <6.5.3
- Range: <6.5.3, 6.5.3 <= x < 7.0.1
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exrmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/108007mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.