Cisco has issued an urgent security warning about a serious vulnerability in IOS and IOS XE software that attackers are already exploiting in the wild. The flaw, tracked as CVE-2025-20352 with a CVSS score of 7.7, could allow cybercriminals to either take full control of vulnerable devices or cause a denial-of-service (DoS) attack.
The networking giant confirmed that attackers discovered this flaw after obtaining local administrator credentials, highlighting how stolen or weak credentials can quickly escalate into full-scale security risks.
The vulnerability lies in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s IOS and IOS XE software. According to Cisco, the flaw is caused by a stack overflow condition that occurs when crafted packets are processed.
SNMP is widely used by network administrators to monitor, manage, and configure devices. But because it provides a channel into network equipment, vulnerabilities in SNMP can be especially dangerous.
An attacker could send a malicious SNMP packet over IPv4 or IPv6 networks to an affected device. Depending on their level of access, this can lead to two scenarios:
Low-privilege attackers: Trigger a DoS condition, crashing or disabling the device.
High-privilege attackers: Gain the ability to execute arbitrary code as the root user, effectively taking over the entire device.
Cisco clarified that certain conditions must be met for exploitation to succeed.
For Denial-of-Service (DoS)
The attacker must have either the SNMPv2c (or earlier) read-only community string or valid SNMPv3 user credentials.
For Remote Code Execution (RCE)
The attacker must have the SNMPv1 or v2c read-only community string, or valid SNMPv3 user credentials.
Additionally, they must have administrator-level or privilege 15 credentials on the device.
These requirements highlight the importance of credential security. Even though the vulnerability exists, attackers cannot exploit it without access to SNMP credentials.
Cisco confirmed that the vulnerability affects all versions of SNMP across its IOS and IOS XE software. Devices particularly impacted include:
Meraki MS390 switches
Cisco Catalyst 9300 Series Switches running Meraki CS 17 or earlier
The good news is that a fix has already been released in Cisco IOS XE Software Release 17.15.4a. Other Cisco products such as IOS XR Software and NX-OS Software are not affected.
Cisco warned that any device with SNMP enabled and that has not excluded the vulnerable Object ID (OID) should be considered at risk.
At the time of disclosure, Cisco stated that there are no direct workarounds that fully eliminate the risk of CVE-2025-20352. However, the company has suggested several mitigation strategies to reduce exposure:
Restrict SNMP access
Limit SNMP access to trusted and known users only.
Review access controls and ensure unnecessary users are removed.
Run SNMP monitoring commands
Use the
"show snmp host"command to check SNMP configurations and monitor unusual activity.
Disable affected OIDs
Administrators can disable the specific OIDs that trigger the vulnerability.
Note: Not all Cisco software supports the vulnerable OID. If the OID is invalid on a given version, that software is not impacted.
Cisco cautioned that excluding certain OIDs might impact device management functions such as discovery or hardware inventory through SNMP.
This flaw is especially dangerous because it is already being exploited in active attacks. Once attackers gain valid SNMP credentials, they can:
Crash devices and disrupt critical services.
Run malicious code as root, giving them complete control over affected routers or switches.
Move laterally across networks, using compromised devices as a stepping stone to launch further attacks.
Since SNMP is commonly enabled in enterprise environments, many organizations may unknowingly be at risk.
To protect networks from CVE-2025-20352, Cisco strongly recommends that administrators:
Apply the security patch immediately by upgrading to Cisco IOS XE Release 17.15.4a.
Audit SNMP configurations and ensure only trusted administrators have SNMP credentials.
Monitor logs and device activity for suspicious SNMP behavior.
Disable unnecessary SNMP functionality if it is not essential for operations.
Enterprises should also review their credential hygiene policies. If attackers gained access because of compromised administrator credentials, this incident reinforces the importance of strong password policies, multi-factor authentication (MFA), and regular credential rotation.
The Cisco SNMP vulnerability (CVE-2025-20352) serves as a strong reminder of the risks tied to widely used management protocols. While Cisco has acted quickly to release a patch, the fact that this flaw is already being exploited makes it urgent for organizations to respond immediately.
By patching devices, restricting SNMP access, and monitoring for suspicious activity, businesses can reduce the chances of falling victim to remote code execution or denial-of-service attacks.
Interesting Article : SolarWinds Patches Critical CVE-2025-26399 Remote Code Execution Flaw
Pingback: Microsoft Entra Workaround Helps Solve Outlook Encrypted Email Bug