CVE-2012-1366 in ASR 1002 Router
Summary
by MITRE
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/11/2026
Cisco IOS versions prior to 15.1(1)SY on ASR 1000 series devices contain a critical vulnerability in the Multicast Listener Discovery (MLD) implementation that enables remote attackers to trigger unauthorized device reloads. This vulnerability specifically affects IPv6 multicast operations when MLD tracking is enabled, creating a condition where malformed or specially crafted MLD packets can cause the affected router to crash and subsequently reload its operating system. The flaw represents a denial of service attack vector that can be exploited from remote network locations without requiring authentication or privileged access. The vulnerability has been assigned the bug ID CSCtz28544 and demonstrates a significant weakness in the IOS kernel's handling of IPv6 multicast traffic processing. The technical implementation flaw occurs within the MLD packet parsing mechanism where insufficient input validation and error handling allows maliciously formatted packets to trigger memory corruption or execution flow disruption within the routing process.
The operational impact of this vulnerability extends beyond simple service disruption as it can lead to complete network outages when affected ASR 1000 devices are part of critical routing paths. Network administrators may experience unexpected device reloads that can take several minutes to complete, during which time routing services are unavailable to downstream network segments. The vulnerability affects the fundamental multicast functionality of the router, potentially impacting services that rely on IPv6 multicast communication such as video streaming, network management protocols, and real-time application delivery. In enterprise or service provider environments where ASR 1000 devices serve as core routing infrastructure, this vulnerability could result in cascading failures affecting multiple network domains and services. The remote exploitability means that attackers need not have physical access to the device or be on the same network segment, making it particularly dangerous in environments where network segmentation is not properly implemented.
This vulnerability aligns with CWE-121, which describes heap-based buffer overflow conditions, and demonstrates characteristics consistent with CWE-122, heap-based buffer overflows in memory management. The attack pattern corresponds to techniques described in the MITRE ATT&CK framework under the T1499 category for network denial of service, specifically targeting network infrastructure devices to cause service disruption. The vulnerability's exploitation requires sending crafted MLD packets that trigger improper handling within the IOS kernel's multicast processing modules. The affected devices operate under the assumption that incoming multicast traffic will conform to expected protocols, but the lack of proper validation allows maliciously constructed packets to bypass normal protocol handling and execute code paths that lead to system instability. Network security teams should consider this vulnerability as part of their broader denial of service threat modeling, particularly for IPv6 enabled networks where multicast tracking is implemented. The fix requires upgrading to Cisco IOS version 15.1(1)SY or later, which includes proper input validation and error handling for MLD packet processing to prevent the exploitation conditions that lead to device reloads.
Organizations should implement immediate network monitoring to detect unusual MLD packet patterns that might indicate exploitation attempts. The vulnerability highlights the importance of maintaining current firmware versions on critical network infrastructure and demonstrates the necessity of implementing network segmentation to limit the potential impact of such attacks. Security teams should also consider implementing access control lists or firewall rules that can filter or rate-limit MLD traffic to reduce the attack surface. The affected ASR 1000 series devices represent a significant portion of Cisco's service provider routing portfolio, making this vulnerability particularly concerning for network operators who depend on these platforms for core routing services. Regular vulnerability assessments and security audits should include verification of MLD tracking configurations and proper IOS version compliance to prevent exploitation of this and similar multicast-related vulnerabilities.