cisco zero-day vulnerability

IOS XR Software was exposed to a zero-day vulnerability, which Cisco released a fix for on Friday, and the vulnerability was exploited in the wild by the threat actors.

In addition to the NCS 540 and 560, NCS 5500, 8000, and ASR 9000 series routers the IOS XR Network OS is available for multiple Cisco router platforms.

This bug has already been tracked as CVE-2022-20821. It was discovered while resolving a support case raised by the Cisco TAC.

Here’s what Cisco stated:-

“This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database.”

Flaw Profile

  • CVE ID: CVE-2022-20821
  • Description: Cisco IOS XR Software Health Check Open Port Vulnerability
  • CVSS Score: Base 6.5
  • Summary: An unauthenticated, remote attacker may possibly gain access to the Redis instance running within the NOSi container by exploiting a vulnerability in the health check RPM of Cisco IOS XR Software.
  • First Published: 2022 May 20 16:00 GMT
  • Severity: Medium


In order to mitigate this vulnerability, the cybersecurity analysts at Cisco have provided the following workarounds:-

  • Option 1: This option is one of the most preferred methods, as it has the most advantages. This is achieved by disabling the health check and explicitly removing all the use cases.
  • Option 2: Port 6379 should be blocked with an Infrastructure Access Control List (iACL).

The following two Cisco bugs are ones that were previously fixed and here they are listed below:-

  • Unauthenticated attackers could potentially run arbitrary commands with root privileges remotely because of NFVIS bugs.
  • Unauthenticated remote attackers could steal the administrator credentials from the Cisco Umbrella Virtual Appliance (VA) as a result of a Cisco Umbrella bug.

There is no doubt that threat actors frequently target vulnerabilities in Cisco devices, so making sure users are applying patches or workarounds as soon as possible should be a priority.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.