Cisco’s Easy Community Administration Protocol (SNMP) implementations in IOS and IOS XE have come beneath intense scrutiny following studies of lively exploitation within the wild.
First disclosed in August 2025, CVE-2025-20352 describes a crucial buffer overflow within the SNMP engine that permits unauthenticated distant attackers to execute arbitrary code.
The vulnerability arises when an outsized payload is shipped in a GetBulk request, overrunning an inside buffer and redirecting management circulate to attacker-supplied shellcode.
Preliminary indicators emerged when community operators started noticing unexplained machine reboots and anomalous SNMP site visitors patterns.
Subsequent forensic evaluation revealed that compromised routers have been pinging exterior command-and-control servers instantly after dealing with malformed SNMP requests.
CISA analysts recognized this habits inside weeks of the vulnerability’s public disclosure, warning that adversaries are leveraging CVE-2025-20352 to determine persistent footholds in enterprise networks.
The influence spans a variety of Cisco platforms, from ISR 4000 Sequence routers to Catalyst switches operating IOS XE variations previous to 17.10.
Exploitation requires solely community reachability to the SNMP service and no legitimate credentials, making uncovered administration interfaces notably harmful.
In a single reported incident, attackers deployed a customized payload that established a reverse shell again to an attacker-controlled host, enabling full distant management of the machine.
An infection Mechanism
Beneath the hood, the assault leverages a malformed PDU that triggers an out-of-bounds write within the SNMP engine’s stack.
Upon receiving a GetBulk request with a size area exceeding the utmost buffer dimension, the SNMP handler fails to validate the message dimension.
This overflow overwrites the saved return handle on the stack, diverting execution to shellcode embedded within the packet.
As soon as execution begins, the payload initializes a socket connection again to the attacker’s IP handle:-
from pysnmp.hlapi import *
payload = b”x90″ * 100 + reverse_shell_shellcode
sendNotification(
SnmpEngine(),
CommunityData(‘public’),
UdpTransportTarget((‘192.0.2.123’, 161)),
ContextData(),
NotificationType(
ObjectIdentity(‘1.3.6.1.4.1.9.9.96’),
(‘1.3.6.1.4.1.9.9.96.1.1’, OctetString(payload))
)
)
The packet construction highlights how the outsized size area and embedded shellcode mix to hijack execution.
Community defenders are urged to use the newest Cisco patches instantly and to limit SNMP entry to trusted hosts solely.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
