A high-severity vulnerability exists in the Address Resolution Protocol (ARP) implementation of multiple Cisco products running IOS XR Software. An attacker on the same local network can exploit this flaw without authentication to create a network-wide broadcast storm, overwhelming affected devices and causing a complete denial of service (DoS) and network outage.

The vulnerability lies within the processing of ARP packets in Cisco IOS XR Software. An unauthenticated attacker located on the same network segment (adjacent) can send specially crafted ARP packets to a vulnerable device. The device's flawed handling of these packets triggers a broadcast storm, where the network is flooded with an excessive number of broadcast packets, leading to CPU exhaustion on the device and consumption of all available network bandwidth, resulting in a Denial of Service (DoS) condition.

This vulnerability is rated as High severity with a CVSS score of 7.4. A successful exploit would result in a complete network outage for segments managed by the affected device. The business impact includes disruption of critical services, loss of connectivity for users and applications, potential financial losses due to downtime, and damage to the organization's reputation. The lack of an authentication requirement and the simplicity of the attack vector increase the risk of exploitation by an attacker with local network access.

Immediate Action: The primary remediation is to identify all vulnerable devices and apply the security updates provided by Cisco immediately. Before and after patching, organizations should monitor for signs of exploitation, such as anomalous network traffic, and review device access and system logs for any unusual ARP-related activity or error messages.

Proactive Monitoring: Implement network monitoring to detect and alert on unusually high rates of ARP broadcast packets, a key indicator of an attempted exploit. Monitor the CPU utilization of critical Cisco devices for sudden and sustained spikes. Configure logging to capture detailed information on ARP processing errors or resource exhaustion alerts.

Compensating Controls: If patching cannot be performed immediately, implement compensating controls to mitigate risk. These include deploying Dynamic ARP Inspection (DAI) to validate ARP packets, using access control lists (ACLs) to restrict traffic from untrusted sources on the local network segment, and enabling port security on switches to limit the impact of a malicious host.

Public Exploit Available: false

Given the high severity (CVSS 7.4) and the potential for a complete network outage, this vulnerability poses a significant risk to the organization. Although it is not currently listed on the CISA KEV list, the impact of a successful exploit is severe. It is strongly recommended that organizations prioritize the immediate identification and patching of all affected Cisco IOS XR devices. If patching is delayed, the compensating controls outlined above should be implemented as a matter of urgency to reduce the attack surface.