Cisco SD-WAN vEdge Routers Denial of Service Vulnerability

Vulnerability

The NETCONF process in Cisco SD-WAN vEdge Routers fails to manage memory properly when the device receives large amounts of traffic. This flaw can be triggered by an authenticated local attacker, causing the device to run out of memory and crash, leading to a denial of service (DoS) condition. Affected versions include all Cisco SD-WAN vEdge Software releases earlier than 20.6.1 and 20.7.1 [1].

Exploitation

An attacker must have local access and authentication to the device. By sending specially crafted, high-volume traffic to the NETCONF process, the attacker can exhaust available memory resources. This requires the attacker to be able to generate or direct a significant amount of network traffic toward the affected device [1].

Impact

Successful exploitation results in a complete denial of service, as the device crashes and becomes unavailable. This disrupts network operations and may require manual intervention to restore service. The vulnerability does not allow code execution or privilege escalation; the impact is strictly availability [1].

Mitigation

Cisco has released fixed versions to address this vulnerability: Cisco SD-WAN vEdge Software releases 20.6.1 and 20.7.1. Customers running earlier releases should migrate to a fixed release. No workarounds are documented in the available advisory [1].