Cisco Inc

Cisco Warns of Critical IOS and IOS XE Flaws Enabling Remote Code Execution

October 17, 2025 - Cisco has revealed a high-severity vulnerability in its widely deployed IOS and IOS XE Software that could allow attackers to remotely crash devices or gain full system control via code execution.

The vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem and results from a stack overflow issue. It can be exploited by sending specially crafted SNMP packets over IPv4 or IPv6, impacting all SNMP versions.

Notably, Cisco confirmed that the flaw has already been exploited in real-world attacks, raising the stakes for network administrators to respond immediately.

Attackers have two main paths: a low-privileged authenticated user with SNMPv2c read-only community strings or valid SNMPv3 credentials could trigger a denial-of-service (DoS) by forcing the device to reload, causing network disruption. More critically, an attacker with privilege level 15 or administrative access could execute arbitrary code as the root user on IOS XE systems, effectively seizing total control.

The issue was identified by Cisco’s Product Security Incident Response Team (PSIRT) during a Technical Assistance Center (TAC) case. Exploits observed in the wild reportedly involved compromised local administrator credentials.

This vulnerability affects a wide array of Cisco devices running susceptible IOS or IOS XE versions with SNMP enabled—including routers, switches, and wireless access points. Devices are at risk unless they have specifically excluded the vulnerable object ID (OID). Fortunately, Cisco confirmed that IOS XR and NX-OS platforms are not impacted.

The potential damage is substantial: DoS attacks could disrupt critical services, while remote code execution could facilitate data breaches, lateral movement, or malware deployment.

Given SNMP’s widespread use for device monitoring, many enterprises remain exposed, often due to default configurations.

Mitigations and Patch Guidance
Cisco has stated that no complete workaround exists. However, mitigations can reduce immediate exposure. Administrators are advised to limit SNMP access to trusted sources and review configurations using commands like show snmp host.

Security can be bolstered by using the snmp-server view command to restrict access to sensitive OIDs and applying this view to SNMPv2c community strings or SNMPv3 groups. For Meraki cloud-managed switches, Cisco recommends contacting support to implement these changes.

Patches addressing this issue are included in Cisco’s September 2025 Semiannual Security Advisory Bundled Publication. Users should check their systems via the Cisco Software Checker to confirm exposure and identify the appropriate fixed release.

SNMP configurations can be verified with CLI commands such as show running-config | include snmp-server community for SNMPv1/v2c or show snmp user for SNMPv3.

Cisco strongly urges immediate software upgrades, warning that failure to act may invite further exploitation. As networks become increasingly interconnected, this vulnerability highlights the critical need for proactive SNMP security and timely patch management.

Source: https://cybersecuritynews.com/cisco-ios-and-ios-xe-software-vulnerabilities/

Cisco Alerts on Actively Exploited SNMP Flaw Enabling RCE or DoS in IOS Software

September 25, 2025 - Cisco has issued a security advisory regarding a high-severity vulnerability in its IOS and IOS XE Software, warning that the flaw is being actively exploited in the wild.

Tracked as CVE-2025-20352, the vulnerability carries a CVSS score of 7.7. Cisco revealed that the issue was identified following the compromise of local Administrator credentials.

The flaw exists within the Simple Network Management Protocol (SNMP) subsystem and is attributed to a stack overflow condition. According to Cisco, a remote, authenticated attacker could exploit the bug by sending specially crafted SNMP packets over IPv4 or IPv6. Depending on the attacker's privilege level, this could result in either a denial-of-service (DoS) or remote code execution (RCE) with root-level access.

Cisco outlined the necessary conditions for exploitation:

For DoS attacks: The attacker must possess the SNMPv2c or earlier read-only community string, or valid SNMPv3 user credentials.

For code execution as root: The attacker must have the SNMPv1 or v2c read-only community string or SNMPv3 credentials with administrative (privilege level 15) access.

All SNMP versions are affected by the vulnerability. Specific devices impacted include the Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 or earlier. Cisco confirmed that the issue has been resolved in IOS XE Software Release 17.15.4a. Notably, Cisco IOS XR and NX-OS Software are not affected.

"This vulnerability affects all versions of SNMP. All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable," Cisco stated.

No direct workarounds are available for CVE-2025-20352. However, Cisco recommends restricting SNMP access to trusted users and monitoring configurations with the "show snmp host" command.

"Administrators can disable the affected OIDs on a device," the company added. "Not all software will support the OID that is listed in the mitigation. If the OID is not valid for specific software, then it is not affected by this vulnerability. Excluding these OIDs may affect device management through SNMP, such as discovery and hardware inventory."

Source: https://thehackernews.com/2025/09/cisco-warns-of-actively-exploited-snmp.html