Cisco has revealed a critical zero-day vulnerability, identified as CVE-2025-20352, in its popular IOS and IOS XE software, which is reportedly being actively exploited. The flaw, discovered during a support case investigation at the Cisco Technical Assistance Center, affects the Simple Network Management Protocol (SNMP) subsystem. This vulnerability allows remote attackers to execute code or cause a denial of service on affected devices. It results from a stack overflow condition, which can be triggered by sending a spoofed SNMP packet over IPv4 or IPv6 to a vulnerable device.
All SNMP versions (v1, v2c, and v3) are susceptible, and an attacker with low privileges can cause a device to reload, leading to a denial of service. If attackers have administrative credentials, they can execute arbitrary code as root on devices running IOS XE, gaining full control. Cisco’s Product Security Incident Response Team confirmed the flaw has been exploited in real-world scenarios, highlighting the necessity of strong credential management and prompt patching.
Devices like Meraki MS390 switches and Cisco Catalyst 9300 Series switches are at risk due to SNMP being enabled on vulnerable software versions. Administrators are advised to check if SNMP is enabled using the show running-config command. Cisco has issued software updates to fix this vulnerability and urges customers to upgrade to the patched versions immediately, as no workarounds are available.
