Cisco

Cisco IOS/IOS XE SNMP Zero-Day – CVE-2025-20352 Exploited in the Wild

Cisco’s SNMP flaw (CVE-2025-20352) is under active attack, enabling device crashes or remote code execution. Patch now to protect critical IOS/IOS XE systems.

J

J

3 min read
Cisco IOS/IOS XE SNMP Zero-Day – CVE-2025-20352 Exploited in the Wild
💡
Cisco has disclosed CVE-2025-20352, a high-severity flaw in the SNMP subsystem of IOS and IOS XE. Attackers can crash devices or, in some cases, execute arbitrary code with root privileges. This vulnerability is already being exploited in the wild, prompting CISA to add it to its catalog of Known Exploited Vulnerabilities. Organizations must treat this as an urgent matter: patch immediately, restrict SNMP access, and monitor for suspicious activity.

Overview of the Vulnerability

On September 24, 2025, Cisco released an advisory for CVE-2025-20352, a stack-based buffer overflow (CWE-121)in the SNMP service of Cisco IOS and IOS XE. Improper memory handling allows attackers to send specially crafted SNMP packets that trigger the overflow. Depending on the conditions, the outcome may be a denial-of-service attack that forces a device to reload or a remote code execution attack that provides root-level control. The vulnerability carries a CVSS score of 7.7 (High).

Cisco confirmed that this issue was exploited before disclosure, making it a genuine zero-day. The combination of widespread SNMP usage and the potential for both disruption and takeover emphasizes the need for rapid response.

Affected Systems

The vulnerability impacts devices running Cisco IOS and IOS XE with SNMP enabled, covering a wide range of routers and switches. Key affected systems include:

  • Cisco Meraki MS390 and Catalyst 9300 switches on Meraki firmware CS 17 or earlier.
  • Other IOS and IOS XE devices where SNMP services are enabled.
  • Not affected: NX-OS and IOS XR platforms.

In practice, any unpatched IOS or IOS XE device that responds to SNMP queries should be treated as vulnerable.

Exploitation Details

Exploitation requires crafted SNMP packets sent to a target device. Two main scenarios exist:

  • Denial-of-Service (DoS): Requires only read-only SNMP credentials, which are often weak or left as defaults such as "public." Attackers can trigger the overflow and force the device to reload.
  • Remote Code Execution (RCE): Requires both SNMP access and administrator-level credentials. Once combined, attackers can execute commands as the root user, gaining complete control of the device.

Cisco’s PSIRT has confirmed successful exploitation in the wild. Researchers estimate millions of Cisco devices expose SNMP services, making this an attractive target.

Detection Guidance

Security teams should use a layered approach to detect exposure and potential exploitation:

  • Vulnerability Scanning:
    • Qualys signature: QID 317727
    • Tenable Nessus plugin: ID 266454
    • Cisco Software Checker (Bug ID: CSCWQ31287)
  • Monitoring & Logs:
    • Watch for unusual SNMP queries, authentication failures, or device reloads.
    • Check crash logs and syslog entries for SNMP-related anomalies.

Configuration Audits:
Run the command:

show snmp host

To list configured SNMP managers. Any unfamiliar entries may signal misuse.

Remediation Guidance

The permanent solution is to apply Cisco’s patches immediately. Fixed releases include IOS XE 17.15.4a and equivalent IOS updates. Cisco provides a version matrix in its advisory.

For environments unable to patch right away, interim mitigations include:

  • Restrict SNMP to trusted management networks with ACLs.
  • Replace default SNMP strings with strong, unique values; prefer SNMPv3 with authentication for enhanced security.
  • Apply SNMP views to filter vulnerable OIDs (not supported on all versions).
  • Disable SNMP if it is not strictly required.

Recommendations for Security Teams

Organizations should prioritize patching internet-facing and core infrastructure devices to ensure optimal security. Beyond patching:

  • Credential Security: Rotate SNMP and admin credentials; enforce stronger authentication.
  • Monitoring: Increase log collection and SIEM correlation for SNMP events.
  • Incident Response: Prepare to isolate devices, analyze crash logs, and reimage if compromise is suspected.
  • Hardening: Reduce exposure of management protocols across the network and segment management traffic to enhance security.

This event serves as another reminder that network devices must be treated as critical IT assets, with dedicated patching and monitoring programs in place.

Timeline of Events

  • September 24, 2025: Cisco advisory and patches released.
  • September 25, 2025: Security vendors (Qualys, SOCRadar) publish technical write-ups.
  • September 29, 2025: CISA adds CVE-2025-20352 to KEV catalog; federal agencies ordered to patch by October 20.
  • October 2025: Scanning and exploitation observed at scale; millions of exposed devices identified.

External References

Conclusion

CVE-2025-20352 illustrates how flaws in widely used management protocols, such as SNMP, can have a disproportionate impact. With confirmed active exploitation, organizations should not delay. Apply patches as soon as possible, enforce access restrictions, and monitor aggressively until remediation is complete.

Read more

© 2025 Threat On The Wire. All rights reserved.