Active Exploitation of Zero-Day Vulnerability CVE-2025-20352 in Cisco IOS and IOS XE

Cisco has released a security advisory to address exploited vulnerability CVE-2025-20352 that could lead to remote code execution or a denial-of-service condition

Threat ID:: CC-4702
Threat Severity:: High
Published:: 25 September 2025 11:59 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Cisco has released a security advisory to address exploited vulnerability CVE-2025-20352 that could lead to remote code execution or a denial-of-service condition

Affected platforms

The following platforms are known to be affected:

Versions: All versions

Cisco IOS

Versions: All versions

Cisco IOS XE

Cisco Meraki

Meraki MS390: Meraki CS 17 and earlier

Cisco Catalyst 9300 Series Switches

Cisco Catalyst 9300 Series Switches: Meraki CS 17 and earlier

Threat details

Exploitation of CVE-2025-20352

Cisco has reported exploitation of CVE-2025-20352 in the wild. The NHS England National CSOC assesses further exploitation is highly likely.

Introduction

Cisco has released a security advisory to address a high severity vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco's IOS and IOS XE platforms. Cisco IOS and IOS XE are the operating systems for Cisco networking appliances.

Vulnerability details

CVE-2025-20352 is a "stack-based buffer overflow" vulnerability with a CVSSv3 score of 7.7. Successful exploitation could allow an authenticated, remote attacker to execute arbitrary code or cause a denial-of-service condition. To execute code remotely, an attacker must have either the SNMPv1 or SNMPv2c read-only community string; or valid SNMPv3 user credentials with administrative or privilege 15 permissions on the affected device. CVE-2025-20352 is under active exploitation.

Remediation advice

Affected organisations must review Cisco security advisory cisco-sa-snmp-x4LPhte and update to the latest fixed version and limit SNMP access to trusted users only as soon as possible.

Note: Cisco recommends using the Cisco Software Checker tool to determine fixed releases for affected platforms.

Remediation steps

Type	Step
Patch	Organisations must update to the latest fixed version of Cisco IOS or Cisco IOS XE as soon as possible. Note: Cisco recommends using the Cisco Software Checker tool to determine fixed releases for affected platforms. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
Action	Organisations must limit SNMP access on affected devices to trusted users only. It is best practice to restrict SNMP access to local trusted networks only. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

Type

Step

Patch

Organisations must update to the latest fixed version of Cisco IOS or Cisco IOS XE as soon as possible.

Note: Cisco recommends using the Cisco Software Checker tool to determine fixed releases for affected platforms.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

Action

Organisations must limit SNMP access on affected devices to trusted users only. It is best practice to restrict SNMP access to local trusted networks only.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

Definitive source of threat updates

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

CVE Vulnerabilities

Status Published

CVE-2025-20352

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.

Last edited: 25 September 2025 11:59 am