Cisco has disclosed an actively exploited zero‑day vulnerability, CVE‑2025‑20352, that affects all supported releases of IOS and IOS XE. The flaw resides in SNMP processing and can trigger a stack overflow, leading to remote denial of service (DoS) or, under certain conditions, remote code execution (RCE) on network devices. Cisco PSIRT reports in‑the‑wild attacks and urges customers to apply fixes immediately.
SNMP stack overflow in IOS/IOS XE: exploitation details and scope
The vulnerability stems from improper handling of SNMP traffic in IOS/IOS XE. An attacker can send specially crafted SNMP packets over IPv4 or IPv6 to trigger the flaw. According to Cisco PSIRT, low‑privileged adversaries can cause a DoS condition, while RCE becomes feasible if the attacker holds elevated device privileges and a valid read‑only community string for SNMP v1/v2c.
Cisco notes that some observed incidents involved compromise of local administrator credentials, which lowers the barrier to achieving code execution with root privileges. Exposing SNMP to the public internet significantly increases risk: internet‑wide scans (e.g., Shodan) regularly surface over 2 million devices with SNMP accessible, expanding the attack surface even when SNMP is configured as read‑only.
Attack prerequisites: SNMP community strings, SNMPv3, and privileges
For DoS, an adversary needs a valid SNMP read‑only community string (v1/v2c) or valid SNMPv3 credentials. For RCE, the attacker must pair a valid read‑only community string with elevated device privileges, enabling code execution at root level. While SNMPv3 adds authentication and optional encryption, the use of valid credentials (especially reused or weak passwords) still facilitates exploitation if management access is reachable.
Operational and business impact of CVE‑2025‑20352
Successful RCE on routers and switches jeopardizes both availability and integrity. With root‑level execution, an attacker can alter configurations, intercept or reroute traffic, embed persistence, move laterally, and sabotage core network services. Even a transient DoS can disrupt critical business processes, from branch connectivity to VPN access and application availability.
Immediate mitigations and hardening guidance
Patch first. Prioritize installing Cisco’s fixed releases for affected IOS/IOS XE platforms. Where immediate upgrades are not possible, implement layered controls:
- Restrict SNMP to trusted management networks only using ACLs, control‑plane policing, and VPN or out‑of‑band access.
- Disable SNMP on external interfaces, or entirely if not required.
- Prefer SNMPv3 with strong authentication, encryption (authPriv), least‑privilege roles, and frequent credential rotation.
- Eliminate default or guessable community strings; inventory and standardize values across devices.
- Enable logging and monitor for SNMP anomalies, unusual reboots, and configuration changes; integrate with SIEM for alerting.
Related Cisco security fixes currently under probing
IOS XE reflected XSS (CVE‑2025‑20240)
Cisco addressed a reflected cross‑site scripting issue that could let an unauthenticated remote attacker steal cookies from vulnerable IOS XE web interfaces. Proof‑of‑concept exploits are publicly available, increasing the urgency to patch.
Authenticated DoS in IOS/IOS XE (CVE‑2025‑20149)
A local authenticated attacker can force a device reboot, resulting in a denial of service. While local access is required, the impact on uptime warrants rapid remediation in high‑availability environments.
ASA/FTD VPN web server vulnerabilities (CVE‑2025‑20333 and CVE‑2025‑20362)
CVE‑2025‑20333 (CVSS 9.9) is an input validation flaw in HTTPS request handling that allows an authenticated VPN user to execute arbitrary code with root privileges via crafted requests.
CVE‑2025‑20362 (CVSS 6.5) involves improper input validation that could grant an unauthenticated remote attacker access to protected sections of the web interface. Cisco reports “attempts at exploitation” of both issues, and chaining them may enable authentication bypass followed by RCE on vulnerable systems.
Organizations should accelerate patch cycles, strictly segment administrative interfaces, and minimize SNMP exposure. Maintain an up‑to‑date inventory of Cisco assets, enforce multi‑factor authentication for admin accounts, and continuously monitor SNMP and HTTPS access patterns for anomalies. Rapid patching combined with management‑plane isolation and least‑privilege access substantially reduces the likelihood of successful exploitation, even when public proof‑of‑concepts exist.
