Cisco has disclosed a zero-day vulnerability, CVE-2025-20352, in its broadly used IOS and IOS XE software program, confirming it’s being actively exploited within the wild.
The flaw exists within the Easy Community Administration Protocol (SNMP) subsystem and might permit a distant attacker to attain distant code execution (RCE) or trigger a denial-of-service (DoS) situation on weak gadgets.
The vulnerability was first recognized in the course of the investigation of a Cisco Technical Help Middle (TAC) assist case.
The vulnerability is rooted in a stack overflow situation (CWE-121) throughout the SNMP subsystem of each Cisco IOS and IOS XE software program. An attacker can set off this flaw by sending a crafted SNMP packet over an IPv4 or IPv6 community to an affected gadget.
The advisory, printed on September 24, 2025, confirms that each one variations of SNMP (v1, v2c, and v3) are vulnerable.
The severity of the exploit is determined by the attacker’s privilege stage:
A low-privileged however authenticated distant attacker may cause the affected gadget to reload, resulting in a DoS situation. This requires entry to an SNMPv2c read-only neighborhood string or legitimate SNMPv3 person credentials.
A high-privileged attacker with administrative or privilege 15 credentials can execute arbitrary code as the basis person on gadgets working IOS XE, successfully gaining full management of the system.
Energetic Exploitation and Affected Gadgets
Cisco’s Product Safety Incident Response Staff (PSIRT) has confirmed profitable exploitation of this vulnerability within the wild.
In response to the advisory, the attackers leveraged the flaw after first compromising native administrator credentials, demonstrating a chained assault methodology.
This highlights the essential want for sturdy credential administration alongside patching.
The vulnerability impacts a broad vary of Cisco gadgets working weak releases of IOS and IOS XE software program the place SNMP is enabled. Particular merchandise talked about embody the Meraki MS390 and Cisco Catalyst 9300 Sequence Switches.
ProductAffected VersionsFixed ReleaseCisco IOS & IOS XE SoftwareAll releases with SNMP enabled previous to the primary fastened software program launch are thought-about weak.Clients ought to use the Cisco Software program Checker to find out the suitable patched launch for his or her particular software program prepare.Meraki MS390 SwitchesMeraki CS 17 and earlier.The vulnerability is addressed in Cisco IOS XE Software program Launch 17.15.4a.Cisco Catalyst 9300 Sequence SwitchesMeraki CS 17 and earlier.The vulnerability is addressed in Cisco IOS XE Software program Launch 17.15.4a.
Any gadget with SNMP enabled is taken into account weak until particular configurations are in place to dam the malicious visitors. Directors can use present running-config instructions to find out if SNMP is energetic on their methods.
Cisco has launched software program updates to repair this vulnerability and strongly recommends that each one clients improve to a patched software program launch to totally remediate the problem. The advisory, recognized as cisco-sa-snmp-x4LPhte, clarifies that there aren’t any workarounds accessible.
For organizations that can’t instantly apply the updates, Cisco has supplied a mitigation approach. Directors can configure an SNMP view to exclude the affected object IDs (OIDs), stopping the weak code path from being triggered.
Nevertheless, Cisco cautions that this mitigation might disrupt community administration functionalities, akin to gadget discovery and {hardware} stock monitoring. As a basic safety measure, Cisco additionally advises limiting SNMP entry to solely trusted customers.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
