CVE-2022-20821

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 20, 2026 2 articles Published: 2022-05-26

VulnLookup ↗ NVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

8.84%

probability

This CVE has a 8.84% probability of being exploited in the next 30 days.

0% Top 92.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

6.5

MEDIUM

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

VulnerabilityLookup (CNA)

A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.

Affected Products

Cisco

Cisco IOS XR Software

Attack Intelligence

CWE-200 · Information Exposure CWE-664 · Improper Control of a Resource Through its Lifetime CWE-668 · Exposure of Resource to Wrong Sphere

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

vendor-advisory x_refsource_CISCO

Signal Intelligence

Confidenceⓘ

85%

EPSS 8.84%

CVSS v3.1 6.5

Mentions 2

Last Seen May 20, 2022

CNA Information

CNA Assigner

cisco

CNA Title

Cisco IOS XR Software Health Check Open Port Vulnerability

Analyst Note

CVE-2022-20821 is explicitly named as a zero-day by Cisco and both authoritative sources (TheHackerNews, BleepingComputer) confirm exploitation in the wild. The article titles explicitly state 'zero-day exploited in the wild' and 'zero-day exploited in attacks,' with Cisco issuing patches in response to active real-world attacks. The timing aligns with simultaneous patch and exploitation disclosure.

Triage Info

Decided atMar 20, 2026

Published DateMay 26, 2022