What Is Cisco IOS XE EVPN?
Cisco IOS XE is the modern variant of Cisco's IOS operating system, deployed on Cisco ASR routers, Catalyst 9000 series switches, and other next-generation Cisco hardware. Ethernet Virtual Private Network (EVPN) is an IETF standard for Layer 2/3 VPN services over MPLS or VXLAN fabrics — widely used in service provider networks and modern data center leaf-spine architectures. BGP (Border Gateway Protocol) is used as the control plane for EVPN to distribute MAC and IP reachability information. CVE-2017-12319 targets the EVPN BGP implementation, affecting service provider and data center deployments.
Overview
CVE-2017-12319 is a vulnerability in the BGP over EVPN implementation in Cisco IOS XE that can allow an unauthenticated remote attacker to cause a device reload (DoS) or potentially corrupt the BGP routing table, leading to network instability. The high complexity (AC:H) reflects that exploitation requires specific conditions — such as knowledge of an EVPN BGP session or the ability to send BGP UPDATE messages. Patched in Cisco advisory cisco-sa-20171025-evpn (October 2017). CISA added CVE-2017-12319 to the KEV catalog in March 2022 alongside the September 2017 Cisco IOS advisory batch, reflecting nation-state interest in exploiting Cisco infrastructure vulnerabilities.
Affected Versions
Cisco IOS XE versions with EVPN BGP functionality configured. Use cisco-sa-20171025-evpn and the Cisco IOS Software Checker for specific affected version identification.
Technical Details
Root Cause: EVPN BGP Input Validation Flaw
CVE-2017-12319 is an improper input validation vulnerability (CWE-20) in the IOS XE EVPN BGP subsystem. When processing a specially crafted BGP UPDATE message related to EVPN routes, the BGP implementation fails to properly validate the message content, leading to either:
- A process crash causing a device reload (DoS), or
- BGP routing table corruption that causes incorrect route propagation and network instability
BGP table corruption significance: The additional concern beyond a simple device reload is that the vulnerability can potentially corrupt the BGP routing table — causing routers to install incorrect routes. In an EVPN data center fabric, corrupted routes can redirect traffic to incorrect destinations, cause traffic blackholing, or expose internal segments to unintended routing.
High complexity (AC:H) context: The CVSS AC:H rating indicates that exploitation requires specific conditions — typically, the attacker must be able to send BGP UPDATE messages that are accepted by the target (requiring a BGP session or ability to inject BGP messages). This is achievable for nation-state actors with access to the network path or who have compromised a BGP peer.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — BGP UPDATE messages |
| Attack Complexity | High — requires BGP session/injection capability |
| Impact | Device reload or BGP table corruption |
| Target | IOS XE with EVPN BGP (service provider, data center) |
Exploitation Context
- Service provider and data center infrastructure targeting: EVPN BGP is deployed in service provider and hyperscale data center environments; disrupting or corrupting routing in these environments has cascading effects on all customers and services using that infrastructure
- BGP as a target for nation-state actors: Nation-state actors have demonstrated capability to exploit BGP for traffic hijacking, reconnaissance, and disruption; CVE-2017-12319's potential for routing table corruption makes it particularly interesting for intelligence and disruption purposes beyond simple DoS
- KEV context: Added with the September 2017 Cisco bundle in March 2022, reflecting the broader CISA campaign to ensure US government and critical infrastructure organizations patch network device vulnerabilities exploited by nation-state actors
Remediation
-
Apply Cisco IOS XE security update — upgrade to IOS XE versions identified in cisco-sa-20171025-evpn.
-
Implement BGP authentication — configure MD5 authentication on all BGP sessions to prevent unauthorized BGP UPDATE injection; only authenticated BGP peers can send updates that trigger the vulnerable code path.
-
Apply BGP route filtering — configure inbound BGP route filters (prefix lists, route maps) that reject unexpected EVPN route types; limiting which EVPN BGP routes are processed reduces the attack surface.
-
Monitor BGP table changes — alert on unexpected BGP routing table changes, including unexpected route additions or unexpected device reloads on BGP-speaking devices.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-12319 |
| Vendor / Product | Cisco — IOS XE Software |
| NVD Published | 2018-03-27 |
| NVD Last Modified | 2026-01-13 |
| CVSS 3.1 Score | 5.9 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Severity | MEDIUM |
| CWE | CWE-20 — Improper Input Validation find similar ↗ |
| CISA KEV Added | 2022-03-03 |
| CISA KEV Deadline | 2022-03-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-10-25 | Cisco releases advisory cisco-sa-20171025-evpn patching CVE-2017-12319 in IOS XE EVPN BGP |
| 2018-03-27 | CVE-2017-12319 published by NVD |
| 2022-03-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-03-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-12319 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Cisco Security Advisory cisco-sa-20171025-evpn | Vendor Advisory |