CVE-2025-20352: Vulnerability in Cisco IOS and IOS XE Enables RCE and DoS

Published Date: September 25, 2025
Category: ShadowOpsIntel
Share:

Cisco has disclosed a high-severity weakness in the Simple Network Management Protocol (SNMP) subsystem of its IOS and IOS XE Software, identified as CVE-2025-20352. The flaw allows remote attackers to either cause a denial of service (DoS) or achieve remote code execution (RCE) with root privileges, depending on the level of SNMP access granted. The vulnerability is being actively exploited in the wild, & organizations are urged to patch immediately.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2025-20352
  • Type: Stack-based Buffer Overflow (CWE-121)
  • CVSS Score: 7.7
  • Component Affected: SNMP Subsystem in Cisco IOS and IOS XE Software
  • Description: The vulnerability arises from a stack overflow condition in the SNMP subsystem of affected Cisco software. Specifically, when crafted SNMP packets are sent to the device (over IPv4 or IPv6), the SNMP process fails to properly validate the packet structure, leading to memory corruption.
  • Exploitation: An attacker must send a specially crafted SNMP packet to the device with valid SNMP credentials. This packet overflows a buffer in the SNMP subsystem, leading either to a crash or to arbitrary code execution with full root access.
Privilege LevelSNMP VersionPotential Impact
Low privilegeSNMPv2c or SNMPv3 (read-only)Denial of Service (DoS) – System reload
High privilegeSNMPv1, v2c (with admin), or SNMPv3 (privilege 15)Remote Code Execution (RCE) – Execute arbitrary code as root

    Affected Products

    This vulnerability affects the following when SNMP is enabled and have not explicitly excluded the affected object ID (OID):

    • All Cisco IOS and IOS XE Software versions
    • Meraki MS390 and Cisco Catalyst 9300 Series Switches that are running Meraki CS 17 and earlier

    Mitigation

    1. Restrict SNMP Access
      Cisco advises administrators to allow only trusted users to have SNMP access on an affected system. Administrators are also advised to monitor affected systems by using the show snmp host command in the CLI.
    2. Disable Vulnerable OIDs
      Create and apply a view that excludes vulnerable OIDs:
      • snmp-server view NO_BAD_SNMP iso included
      • snmp-server view NO_BAD_SNMP snmpUsmMIB excluded
      • snmp-server view NO_BAD_SNMP snmpVacmMIB excluded
      • snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded
      • snmp-server view NO_BAD_SNMP cafSessionMethodsInfoEntry.2.1.111 excluded

    Recommendations

    Update Cisco IOS and IOS XE Software to latest versions.
    Use the official Cisco Software Checker to verify whether your current version is vulnerable.

        Source:

        • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

        Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

        No related posts found.

        Ampcus Cyber
        Privacy Overview

        This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.