Cisco has revealed a critical security flaw in its IOS and IOS XE software, posing risks of denial of service and remote code execution through the Simple Network Management Protocol (SNMP). This zero-day vulnerability, actively exploited and identified as CVE-2025-20352, has a CVSS score of 7.7. The issue stems from a stack overflow in the SNMP subsystem, allowing attackers with valid credentials to send crafted packets that can disrupt device operations or even gain full control. With low privileges, attackers can restart systems, causing denial-of-service attacks. With higher privileges, they can execute arbitrary code as root, potentially controlling the entire infrastructure.
Research indicates that around two million Cisco devices globally may be vulnerable due to exposed SNMP interfaces, highlighting the significant risk, especially given Cisco’s role in corporate networks and critical infrastructure. Cisco confirms the vulnerability is being actively exploited, with attackers accessing compromised administrator accounts. Affected are all devices running Cisco IOS or IOS XE with SNMP enabled, unless specific object IDs are excluded. Vulnerable devices include Meraki MS390 and Cisco Catalyst 9300 switches with older software versions, though a fix is available in IOS XE release 17.15.4a.
Cisco stresses there are no viable workarounds, only a mitigation that excludes specific OIDs but may disrupt SNMP functionality. The structural solution is to install the patches provided by Cisco. This vulnerability is part of a broader update addressing fourteen security issues, eight with high CVSS scores. Organizations are urged to update devices and limit SNMP access to trusted users. Given the active exploitation, scale of exposure, and lack of simple solutions, this vulnerability is deemed one of the most urgent threats to Cisco environments.
