Cisco has disclosed a critical zero-day vulnerability in its IOS and IOS XE software that is being actively exploited by threat actors in real-world attacks.
The flaw, tracked as CVE-2025-20352, affects the Simple Network Management Protocol (SNMP) subsystem and allows both denial-of-service attacks and remote code execution depending on the attacker’s privilege level.
Critical SNMP Stack Overflow Enables Dual Attack Scenarios
The vulnerability stems from a stack overflow condition within the SNMP subsystem that affects all versions of SNMP protocol implementations.
Attackers can exploit this flaw by sending specially crafted SNMP packets to vulnerable devices over IPv4 or IPv6 networks. The security issue presents two distinct attack scenarios based on the attacker’s access level.
| CVE Number | Affected Product | Impact | CVSS 3.1 Score |
| CVE-2025-20352 | Cisco IOS and IOS XE Software SNMP subsystem | DoS (low privilege) / Remote Code Execution (high privilege) | 7.7 (High) |
Low-privileged attackers who possess SNMPv2c read-only community strings or valid SNMPv3 user credentials can trigger a denial-of-service condition, causing affected systems to reload and disrupting network operations.
More concerning, high-privileged attackers with SNMPv1 or v2c read-only community strings combined with administrative or privilege 15 credentials can achieve full remote code execution as the root user, potentially gaining complete control over compromised systems.
The vulnerability affects a broad range of Cisco devices running vulnerable releases of IOS and IOS XE software.
Meraki MS390 and Cisco Catalyst 9300 Series switches running Meraki CS 17 and earlier versions are also impacted.
Cisco has confirmed that all devices with SNMP enabled should be considered vulnerable unless they have explicitly excluded the affected Object Identifier (OID).
Network administrators can determine if their devices are vulnerable by checking for SNMP configuration using CLI commands.
For SNMPv1 and v2c, the show running-config include snmp-server community command will reveal if SNMP is enabled. SNMPv3 can be verified using show running-config include snmp-server group and show snmp user commands.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed that this vulnerability is being actively exploited following the compromise of local administrator credentials.
The company discovered the ongoing attacks during the resolution of a Technical Assistance Center support case, highlighting the real-world threat posed by this security flaw.
The vulnerability carries a CVSS 3.1 base score of 7.7, classified as High severity, with an attack vector of Network, Low complexity, and Changed scope.
The flaw is categorized under CWE-121 for stack-based buffer overflow conditions, emphasizing the critical nature of the underlying memory corruption issue.
Cisco has released software updates addressing this vulnerability and strongly recommends immediate upgrades to fixed releases.
No workarounds are available, though administrators can implement mitigations by disabling specific affected OIDs and restricting SNMP access to trusted users only.
The company advises monitoring affected systems using the show snmp host command while preparing for software updates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
