vulnerability
Cisco IOS-XR: CVE-2023-20236: Cisco IOS XR Software iPXE Boot Signature Bypass Vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:L/AC:L/Au:M/C:C/I:C/A:C) | Sep 13, 2023 | Sep 14, 2023 | Mar 25, 2026 |
Severity
6
CVSS
(AV:L/AC:L/Au:M/C:C/I:C/A:C)
Published
Sep 13, 2023
Added
Sep 14, 2023
Modified
Mar 25, 2026
Description
A vulnerability in the iPXE boot function of Cisco IOS XR software could allow an authenticated, local attacker to install an unverified software image on an affected device.
This vulnerability is due to insufficient image verification. An attacker could exploit this vulnerability by manipulating the boot parameters for image verification during the iPXE boot process on an affected device. A successful exploit could allow the attacker to boot an unverified software image on the affected device.
Solution
update-xros
References
- CVE-2023-20236
- https://attackerkb.com/topics/CVE-2023-20236
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-24415
- CISCO-cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB
- CWE-347
- CWE-345
- EUVD-EUVD-2023-24415
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.