CVE-2022-20821

What is Cisco IOS XR?

Cisco IOS XR is the operating system powering Cisco's carrier-grade routers (ASR 9000, NCS series, CRS series) and high-end network infrastructure deployed by telecommunications providers, ISPs, and large enterprises. IOS XR uses a microkernel-based architecture where network functions run in isolated containers. The Health Check RPM (installable package) provides system health monitoring capabilities — but when installed, it inadvertently exposes an internal service to the network in a way that bypasses normal access controls.

Overview

CVE-2022-20821 is an open port vulnerability (CWE-200) in Cisco IOS XR software. When the optional Health Check RPM is installed and active, IOS XR opens TCP port 6379 — the standard Redis port — on all network interfaces, including management and data interfaces. The Redis instance running inside the NOSi (Network Operating System Infrastructure) container is accessible without authentication to any host that can reach the router on port 6379. CISA added this to KEV the same day Cisco published the advisory, reflecting active exploitation.

Affected Versions

Technical Details

The Health Check RPM starts a Redis instance inside the NOSi container to store health monitoring data. A configuration error causes this Redis instance to listen on all interfaces (0.0.0.0:6379) rather than being restricted to loopback or an internal container interface:

• Exposed service: Redis 6379/TCP — a well-known in-memory data store with no authentication by default
• Attack vector: Any network-reachable host can connect to port 6379 and issue Redis commands
• Impact: Read access to router health telemetry and operational data stored in Redis (confidentiality); Redis commands can also write data, potentially corrupting health monitoring state (integrity)
• No authentication required: Standard Redis default configuration does not require credentials unless explicitly configured
• Network position: Attacker must be able to reach TCP port 6379 on the router — on management interfaces this may require routing through the management network; data plane interfaces may be more broadly reachable

Discovery

Identified by Cisco's internal security team. The same-day CISA KEV addition indicates confirmed exploitation in the wild before or shortly after the advisory was published.

Exploitation Context

Cisco routers running IOS XR are critical infrastructure — compromise of a carrier-grade router provides traffic visibility and potential for traffic manipulation at scale. The Health Check RPM was an optional add-on installed by network operators seeking monitoring capabilities, and many deployments would have had it active. Attackers with access to Redis can read internal router state, and Redis's command set (SLAVEOF, CONFIG, DEBUG) can be abused in some configurations for further access.

Remediation

1. Uninstall the Health Check RPM if not required — this is the primary fix:

   install remove ncs5500-health-check-<version>
   

2. If the Health Check RPM is required, upgrade to a fixed IOS XR version once available from Cisco
3. Block TCP port 6379 at the network perimeter and on management ACLs for all IOS XR devices
4. Audit which IOS XR devices have the Health Check RPM installed: show install active | include health
5. Review router access logs for unexpected connections to port 6379