Cisco Unveils Critical Zero-Day Vulnerability in IOS and IOS XE Software
Cisco has recently divulged a significant zero-day vulnerability, designated CVE-2025-20352, impacting its extensively utilized IOS and IOS XE software. Alarmingly, this flaw is reportedly being actively exploited in the field.
The vulnerability resides within the Simple Network Management Protocol (SNMP) subsystem, enabling a remote adversary to execute remote code execution (RCE) or instigate a denial-of-service (DoS) scenario on affected devices.
Discovery of this flaw transpired during an investigation by the Cisco Technical Assistance Center (TAC) into a support case.
The root of the vulnerability is a stack overflow condition (CWE-121) within the SNMP subsystem of both software platforms. An attacker can activate this flaw by transmitting a specially crafted SNMP packet over either an IPv4 or IPv6 network to the compromised device.
According to the advisory released on September 24, 2025, all variants of SNMP (v1, v2c, and v3) are vulnerable.
The severity of the exploit varies based on the attacker’s privilege level:
- An authenticated remote attacker with low privileges can force the affected device to reload, resulting in a DoS condition. This necessitates access to an SNMPv2c read-only community string or valid SNMPv3 user credentials.
- A highly privileged attacker, possessing administrative or privilege 15 credentials, can execute arbitrary code as the
rootuser on IOS XE devices, thereby seizing full control of the system.
Current Exploitation Landscape and Vulnerable Devices
The Cisco Product Security Incident Response Team (PSIRT) has corroborated the successful exploitation of this vulnerability in real-world scenarios.
Notably, attackers have utilized this vulnerability after initially compromising local administrator credentials, underscoring a chained attack methodology.
This highlights the imperative for robust credential management alongside timely patching.
The vulnerability impacts a wide variety of Cisco devices operating on susceptible releases of IOS and IOS XE where SNMP is enabled. Specific models affected include the Meraki MS390 and the Cisco Catalyst 9300 Series Switches.
| Product | Affected Versions | Fixed Release |
|---|---|---|
| Cisco IOS & IOS XE Software | All releases with SNMP enabled prior to the first fixed software release are deemed vulnerable. | Customers are advised to utilize the Cisco Software Checker to ascertain the suitable patched release for their specific software train. |
| Meraki MS390 Switches | Meraki CS 17 and prior versions. | This vulnerability is rectified in Cisco IOS XE Software Release 17.15.4a. |
| Cisco Catalyst 9300 Series Switches | Meraki CS 17 and earlier releases. | Cisco IOS XE Software Release 17.15.4a addresses this vulnerability. |
Devices with SNMP enabled are considered vulnerable unless specific configurations effectively obstruct malicious traffic. Administrators can employ the show running-config command to determine whether SNMP is active on their systems.
Cisco has released software updates to remediate this vulnerability and strongly advises all customers to upgrade to a fortified software release to mitigate the issue wholly. The advisory labelled cisco-sa-snmp-x4LPhte delineates that no workarounds are available.
For entities unable to enact updates immediately, Cisco has proposed a mitigation strategy, allowing administrators to configure an SNMP view that excludes the pertinent object IDs (OIDs), thus averting the triggering of the vulnerable code path.
Nevertheless, Cisco warns that this mitigation might disrupt essential network management functionalities, such as device discovery and hardware inventory monitoring. Additionally, it is prudent to restrict SNMP access strictly to trusted individuals as a general security precaution.
Source link: Cybersecuritynews.com.
