Cisco Confirms Actively-Exploited 0-Day RCE in IOS and IOS-XE

Diagram illustrating SNMP communication between a monitoring server and multiple network devices for centralized network management 

Cisco has disclosed a critical zero-day vulnerability in its IOS and IOS XE software that threat actors are actively exploiting in real-world attacks.

The flaw, tracked as CVE-2025-20352, affects the Simple Network Management Protocol (SNMP) subsystem and allows both denial-of-service attacks and remote code execution depending on the attacker’s privilege level.

Critical SNMP Stack Overflow

Diagram of SNMP configuration showing the SNMP Manager communicating with network devices like routers, servers, and switches acting as SNMP Agents 

The vulnerability stems from a stack overflow condition within the SNMP subsystem that affects all versions of SNMP protocol implementations.

Attackers can exploit this flaw by sending specially crafted SNMP packets to vulnerable devices over IPv4 or IPv6 networks.

The security issue presents two distinct attack scenarios based on the attacker’s access level.

CVE Number	Affected Product	Impact	CVSS 3.1 Score
CVE-2025-20352	Cisco IOS and IOS XE Software SNMP subsystem	DoS (low privilege) / Remote Code Execution (high privilege)	7.7 (High)

Low-privileged attackers who possess SNMPv2c read-only community strings or valid SNMPv3 user credentials can trigger a denial-of-service condition, causing affected systems to reload and disrupting network operations.

More concerning, highly privileged attackers with SNMPv1 or v2c read-only community strings combined with administrative or privilege 15 credentials can achieve full remote code execution as the root user, potentially gaining complete control over compromised systems.

Widespread Device Impact Across Cisco Portfolio

Cisco Catalyst 9300 series network switch with multiple Ethernet ports and uplinks, commonly used in enterprise networks 

The vulnerability affects a broad range of Cisco devices running vulnerable releases of IOS and IOS XE software.

Meraki MS390 and Cisco Catalyst 9300 Series switches running Meraki CS 17 and earlier versions are also impacted.

Cisco has confirmed that all devices with SNMP enabled should be considered vulnerable unless they have explicitly excluded the affected Object Identifier (OID).

Network administrators can determine if their devices are vulnerable by checking for SNMP configuration using CLI commands.

For SNMPv1 and v2c, the ‘show running-config’ command will reveal whether SNMP is enabled if the ‘snmp-server community’ command is included.

SNMPv3 can be verified using show running-config include snmp-server group and show snmp user commands.

Active Exploitation Confirmed by Cisco Security Team

Cisco’s Product Security Incident Response Team (PSIRT) confirmed that this vulnerability is being actively exploited following the compromise of local administrator credentials.

The company discovered the ongoing attacks during the resolution of a Technical Assistance Center support case, highlighting the real-world threat posed by this security flaw.

The vulnerability carries a CVSS 3.1 base score of 7.7, classified as High severity, with an attack vector of Network, Low complexity, and Changed scope.

The flaw is categorized under CWE-121 for stack-based buffer overflow conditions, emphasizing the critical nature of the underlying memory corruption issue.

Cisco has released software updates addressing this vulnerability and strongly recommends immediate upgrades to fixed releases.

No workarounds are available, though administrators can implement mitigations by disabling specific affected OIDs and restricting SNMP access to trusted users only.

The company advises monitoring affected systems using the show snmp host command while preparing for software updates.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Cisco Confirms Actively-Exploited 0-Day RCE in IOS and IOS-XE appeared first on Cyber Security News.