CVE-2023-20135 MEDIUM

CVE-2023-20135

Vendor Cisco
Product Cisco IOS XR Software
Weakness CWE-347
Published September 13, 2023
Last update December 16, 2025

CVSS base score

5.7/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device.

Key dates

02Disclosure timeline

September 13, 2023 CVE published
December 16, 2025 Record updated