CVE-2021-1620 HIGH

CVE-2021-1620: Cisco IOS and IOS XE Software IKEv2 AutoReconnect Feature Denial of Service Vulnerability

Vendor Cisco
Product Cisco IOS
Weakness CWE-563
Published September 23, 2021
Last update November 7, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) support for the AutoReconnect feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to exhaust the free IP addresses from the assigned local pool. This vulnerability occurs because the code does not release the allocated IP address under certain failure conditions. An attacker could exploit this vulnerability by trying to connect to the device with a non-AnyConnect client. A successful exploit could allow the attacker to exhaust the IP addresses from the assigned local pool, which prevents users from logging in and leads to a denial of service (DoS) condition.

Key dates

02Disclosure timeline

September 23, 2021 CVE published
November 7, 2024 Record updated