CVE-2004-1464

What is Cisco IOS?

Cisco IOS (Internetwork Operating System) is the proprietary operating system running on the vast majority of Cisco routers and switches. It is the backbone of enterprise branch networks, campus infrastructure, service provider backbones, and critical national infrastructure worldwide. Network administrators manage IOS devices via Virtual Terminal (VTY) lines — logical management sessions reached through Telnet, SSH, RSH, or HTTP.

Because Cisco routers and switches are the chokepoints through which all network traffic flows, loss of management access to these devices during an incident can prevent defenders from applying ACLs, rerouting traffic, or isolating affected network segments.

Overview

CVE-2004-1464 is a denial-of-service vulnerability in Cisco IOS that allows an unauthenticated attacker to exhaust the device's Virtual Terminal (VTY) line pool, permanently blocking all subsequent management sessions via Telnet, reverse Telnet, RSH, SSH, SCP, and HTTP until the device is reloaded or the stuck sessions are manually cleared.

Cisco published the advisory on August 27, 2004, and fixed versions were available the same day. Despite its age, CISA added it to the Known Exploited Vulnerabilities catalog on May 19, 2023 — nearly 19 years after the original disclosure — after obtaining evidence of active exploitation. Among the oldest CVEs ever added to the KEV catalog, its appearance reflects the persistent reality of unpatched and end-of-life Cisco IOS devices in production networks.

Affected Versions

Devices running IOS ≥ 12.2(15)T use HTTP v1.1, which is unaffected by the HTTP management lockout variant. All other affected versions require patching or workaround.

Technical Details

Cisco IOS manages in-band administrative sessions through a finite pool of Virtual Terminal (VTY) lines. Each Telnet, SSH, or reverse-Telnet connection occupies one VTY line. When all VTY lines are occupied, the device rejects new management connections.

A specially crafted TCP connection — one that completes the three-way handshake but does not complete normal session establishment — can hold a VTY line open indefinitely. Because a full TCP handshake is required, spoofing the source IP is impractical on a correctly deployed network, but any host with network access to the device's management interface can exploit this.

An attacker exhausting all available VTY lines prevents legitimate administrators from connecting via:

• Telnet
• Reverse Telnet
• Remote Shell (RSH)
• Secure Shell (SSH)
• Secure Copy (SCP)
• DLSw+
• Protocol translation
• HTTP v1.0 management

The denial of access persists until the device is reloaded or an administrator uses the console port (physical or out-of-band access) to clear the stuck sessions with clear line vty <number> or clear tcp.

CWE-400 (Uncontrolled Resource Consumption): IOS fails to bound or time out partially-established VTY sessions, allowing the fixed-size VTY pool to be exhausted by an attacker without completing authentication.

A public Metasploit auxiliary module (dos/cisco/ios_telnet_rocem) exists for this vulnerability.

Discovery

The vulnerability was discovered and reported to Cisco; the advisory was published August 27, 2004. No single external researcher is credited in the public advisory.

Exploitation Context

CVE-2004-1464's addition to the CISA KEV catalog in May 2023 — nearly 19 years after disclosure — places it among the oldest CVEs ever added. CISA's KEV policy requires credible evidence of active exploitation in the wild, meaning this 2004 vulnerability was being actively used against real targets in 2023.

The likely exploitation context is consistent with the 2022–2023 wave of nation-state targeting of network infrastructure. CISA, NSA, and Five Eyes partner agencies issued multiple joint advisories during this period specifically warning that state-sponsored actors were exploiting legacy vulnerabilities in network devices — including old Cisco IOS CVEs — as part of campaigns targeting critical infrastructure and government networks. Devices running unsupported IOS versions accumulate years of unpatched CVEs, and threat actors systematically probe for them.

The CISA BOD 22-01 deadline of June 9, 2023 gave federal agencies three weeks to remediate. For devices too old to receive an IOS update, the practical remediation is the same as the 2004 workaround: disable Telnet entirely and restrict VTY access to SSH from trusted management hosts only.

Remediation

1. Upgrade Cisco IOS to a fixed version per the table above. For devices on old release trains (12.0, 12.1), the fixed versions are themselves decades old — upgrade to a currently-supported IOS or IOS-XE release where possible.

2. Disable Telnet on VTY lines — Telnet transmits credentials in cleartext and has no legitimate security use. Replace all Telnet management with SSH:

   line vty 0 15
    transport input ssh
   

3. Apply VTY access control lists — restrict management connections to known trusted management hosts:

   ip access-list standard MGMT-HOSTS
    permit 10.0.0.0 0.0.0.255
    deny   any log
   !
   line vty 0 15
    access-class MGMT-HOSTS in
   

4. Implement infrastructure ACLs at the perimeter — block inbound connections to device management ports (23/TCP for Telnet, 22/TCP for SSH) from untrusted source addresses at the network edge, preventing internet-facing exposure of management interfaces.

5. Enable SSH version 2 only:

   ip ssh version 2
   

6. Configure VTY timeouts — reduce the window for stuck connections:

   line vty 0 15
    exec-timeout 5 0
   

7. Deploy out-of-band management — ensure console port access (direct or via out-of-band management network) is available as a recovery path independent of VTY. If VTY lines are exhausted, the console port is the only way to clear them without a reload.