Cisco has issued a critical warning regarding a high-severity security vulnerability affecting its IOS Software and IOS XE Software. This flaw, identified as CVE-2025-20352, holds a significant CVSS score of 7.7 and has reportedly been exploited in the wild. Cisco became aware of this serious issue after local Administrator credentials were compromised, raising concerns for many users worldwide.
The vulnerability stems from a flaw in the Simple Network Management Protocol (SNMP) subsystem, which causes a stack overflow condition. An authenticated remote attacker can exploit this vulnerability by sending a specially crafted SNMP packet to an affected device over either IPv4 or IPv6 networks. Depending on the privileges of the attacker, this can lead to a denial-of-service (DoS) condition or even allow arbitrary code execution as the root user, giving them full control over the compromised system.
Cisco has outlined specific conditions that must be met for an attacker to exploit CVE-2025-20352. To cause a DoS, attackers need either:
The SNMPv2c or earlier read-only community string, or Valid SNMPv3 user credentials.To execute code as the root user, attackers must possess:
The SNMPv1 or SNMPv2c read-only community string, or Valid SNMPv3 user credentials alongside administrative or privilege 15 credentials on the affected device.This vulnerability impacts all versions of SNMP and specifically affects Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Cisco has confirmed that IOS XR Software and NX-OS Software are not affected by this vulnerability.
Cisco advises that all devices with SNMP enabled, which have not explicitly excluded the affected object ID (OID), should be considered vulnerable. Customers must take this warning seriously and assess the security of their systems.
While there are currently no workarounds to completely resolve CVE-2025-20352, Cisco has proposed a mitigation strategy. This includes restricting SNMP access to only trusted users and monitoring systems using the show snmp host command. Additionally, administrators can disable the affected OIDs on their devices. However, it is important to note that not all software will support the OID listed in mitigation instructions. If an OID is not valid for specific software, that software is not affected by this vulnerability.
Excluding these OIDs may impact device management capabilities through SNMP, including device discovery and hardware inventory. Therefore, it is crucial for network administrators to carefully evaluate their systems and implement the necessary security measures.
As cybersecurity threats continue to evolve, staying informed about vulnerabilities like CVE-2025-20352 is essential for network security. Cisco's prompt notification allows users to take action and protect their devices from potential attacks. Network administrators are encouraged to review their SNMP settings and apply Cisco's mitigation strategies to safeguard their systems from exploitation.
