CVE-2025-20352: Cisco SNMP Zero-Day - Quick Summary
- Zero-day vulnerability in Cisco IOS/IOS XE SNMP with active exploitation (CVSS 7.7)
- Allows denial of service or remote code execution depending on attacker privileges
- Affects all Cisco IOS/IOS XE devices with SNMP enabled
- Official patch available, no workarounds, only temporary mitigations
What Happened
On September 24th, 2025, Cisco disclosed a critical zero-day vulnerability in Cisco IOS Software and IOS XE Software that is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-20352, affects the Simple Network Management Protocol (SNMP) subsystem, and it allows authenticated attackers to cause denial-of-service (DoS) conditions or perform remote code execution with root privileges.
This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software, which can be exploited by sending specially-crafted SNMP packets to vulnerable devices over IPv4 or IPv6 networks. To cause a DoS, the attacker must have the SNMPv2c or earlier read-only community string or have valid SNMPv3 user credentials. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or have valid SNMPv3 user credentials and administrative or privilege 15 credentials.
The vulnerability has been assigned a CVSS score of 7.7 (High severity) and affects a wide range of Cisco network infrastructure devices. Cisco confirmed that the flaw affects a broad range of devices running vulnerable versions of Cisco IOS and IOS XE software, including Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier.
|
CVE ID
|
CVSS
|
Summary
|
|
CVE-2025-20352
|
High - 7.7
|
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow authenticated attackers to cause denial of service or perform remote code execution as root user.
|
Cisco's Product Security Incident Response Team (PSIRT) identified that this vulnerability has been successfully exploited in the wild to compromise local Administrator credentials.
What That Means
An authenticated remote attacker can exploit the issue by sending specially crafted SNMP packets over IPv4 or IPv6 to achieve two different outcomes depending on their privilege level:
Low-privileged attackers with SNMPv2c read-only community strings or valid SNMPv3 credentials can force affected devices to reload, causing a denial of service condition that disrupts network operations.
High-privileged attackers with administrative credentials can achieve full remote code execution as the root user, potentially gaining complete control over the compromised system. This level of access allows attackers to:
- Establish persistence on critical network infrastructure
- Move laterally through the network
- Access sensitive network traffic and configurations
- Deploy additional malware or backdoors
- Disrupt business operations
The fact that this is a zero-day vulnerability with confirmed active exploitation makes it particularly dangerous.
How to Identify and What to Do
How to identify vulnerable devices
To determine whether your devices are vulnerable, check for SNMP configuration using the CLI commands below.
For SNMPv1 and v2c, use the following command:
Router# show running-config | include snmp-server community
For SNMPv3, use the following command:
Router# show running-config | include snmp-server group
Router# show snmp user
If these commands return output, SNMP is enabled and the device should be considered vulnerable unless the affected OID has been explicitly excluded.
What to do
Organizations running vulnerable Cisco IOS or IOS XE devices should patch immediately. Cisco strongly advises upgrading to IOS XE Release 17.15.4a or later to fully remediate the issue and prevent further exposure.
First and most critical step: Determine whether SNMP needs to be publicly accessible. Exposing SNMP to the internet is against security best practices and is rarely necessary for legitimate business operations. In most cases, SNMP should only be accessible from internal management networks or specific trusted hosts. If public SNMP access is not required, immediately block external access using firewalls or access control lists to significantly reduce your attack surface.
If immediate patching is not possible, implement the following temporary mitigations:
- Restrict SNMP access to trusted users and networks only
- Monitor SNMP activity using the
show snmp host command
- Disable affected OIDs using the
snmp-server view command (though this may impact device management operations)
The official mitigation from Cisco involves creating a view that excludes the vulnerable OID: !Standard VIEW and Security Exclusions
snmp-server view NO_BAD_SNMP iso included
snmp-server view NO_BAD_SNMP snmpUsmMIB excluded
snmp-server view NO_BAD_SNMP snmpVacmMIB excluded
snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded
!End Standard View
!Advisory Specific Mappings
!CISCO-AUTH-FRAMEWORK-MIB
snmp-server view NO_BAD_SNMP cafSessionMethodsInfoEntry.2.1.111 excluded
To then apply this configuration to a community string, use the following command:
snmp-server community mycomm view NO_BAD_SNMP RO
For SNMPv3, use the following command:
snmp-server group v3group auth read NO_BAD_SNMP write NO_BAD_SNMP
Critical: There are no workarounds that address this vulnerability. The mitigations listed above are temporary measures only, and upgrading to fixed software is the only complete solution.
Who's Impacted
According to Cisco's official advisory: "This vulnerability affects all versions of SNMP. All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable."
The following products are confirmed vulnerable:
- Cisco IOS and IOS XE Software (use Cisco Software Checker to determine which releases are vulnerable)
- Meraki MS390 switches running Meraki CS 17 and earlier
- Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier
Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS XR Software, NX-OS Software.
When Will Cisco Fix It
Cisco has released software updates that fully address the RCE vulnerability. The fixed release for most affected devices is Cisco IOS XE Software Release 17.15.4a.
Organizations can use the Cisco Software Checker to determine which software releases are affected and identify the appropriate fixed version for their specific devices.
The Blumira Incident Detection Engineering team is actively monitoring this issue and looking for additional detection opportunities based on the tactics, techniques, and procedures associated with CVE-2025-20352 exploitation. We will update our detection capabilities as more information becomes available about attack patterns and indicators of compromise.
