May 28, 2023

Cisco has released security patches to address a medium-severity vulnerability affecting IOS XR Software, tracked as CVE-2022-20821 with a CVSS score: 6.5, that threat actors are actively exploiting in attacks in the wild affecting Cisco 8000 routers

The flaw resides in the health check RPM of Cisco IOS XR Software, an unauthenticated, remote attacker could trigger the issue to access the Redis instance that is running within the NOSi container.


An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database.

Users can determine if the device is vulnerable, users can issue the run docker ps CLI command. The device is vulnerable if the output returns a docker container with the name NOSi like the following example:

Cisco IOS XR flaw

Below are the workarounds that address this vulnerability:

  • Option 1: This is the preferred method. Disable health check and explicitly disable the use cases.
  • Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.

Leave a Reply

%d bloggers like this: