Cisco released a security advisory to address an actively exploited vulnerability, tracked as CVE-2025-20352, impacting Cisco IOS and IOS XE Software. Successful exploitation of the vulnerability may allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition. A high-privileged attacker may execute arbitrary code as the root user and obtain complete control of the affected system.
Cisco mentioned in their advisory, “The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”
Cisco IOS is a legacy, monolithic operating system, while Cisco IOS XE is its modern, modular, Linux-based successor. IOS XE combines the traditional IOS command-line interface (CLI) with a modern architecture, providing enhanced stability, scalability, and programmability for newer enterprise devices.
Vulnerability Description
The vulnerability exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software. The vulnerability originates from a stack overflow condition in the SNMP subsystem of the affected software. An attacker may exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks.
Upon successful exploitation of the vulnerability, a remote, authenticated attacker can perform the following:
- Cause a denial of service condition on an affected device running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials.
- Execute code as the root user on an affected device running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device.
Affected Versions
The vulnerability affects Cisco devices running a vulnerable version of Cisco IOS Software or Cisco IOS XE Software.
Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier are also affected. This is fixed in Cisco IOS XE Software Release 17.15.4a.
Note: This vulnerability affects all versions of SNMP. All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable.
Mitigation
Cisco recommends that users upgrade to the latest version to address the vulnerability.
For more information, please refer to the Cisco Security Advisory (cisco-sa-snmp-x4LPhte).
Qualys Detection
Qualys customers can scan their devices with QID 317727 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte