Technology

Cisco uncovers new SNMP vulnerability used in attacks on IOS devices

September 25, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Cisco Systems, Inc. logo and lettering can be seen on the Cisco Systems GmbH headquarters building in Garching near Munich (Bavaria). Cisco is a US company from the telecommunications industry and is primarily known for its routers and switches. (Photo by Matthias Balk/picture alliance via Getty Images)

Cisco Systems has issued security updates to address a critical vulnerability in its widely deployed IOS and IOS XE network operating systems, after confirming the flaw is being exploited in active attacks.

Designated CVE-2025-20352, the vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s core network software. According to Cisco, the weakness stems from a stack-based buffer overflow and affects any device with SNMP enabled. The flaw allows authenticated, remote attackers with low privileges to force targeted systems to reload, causing denial of service. Higher-privileged attackers could execute arbitrary code with root-level permissions on affected Cisco IOS XE devices, effectively gaining complete control.

Cisco disclosed that the vulnerability has been exploited in the wild. The company became aware of active attacks after the compromise of local administrator credentials. Attackers have leveraged the flaw by sending crafted SNMP packets over either IPv4 or IPv6 networks.

“All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable,” Cisco wrote in a published advisory. The company noted the problem affects all versions of SNMP, including v1, v2c, and v3. Models such as the Meraki MS390 and Catalyst 9300 running Meraki CS 17 or earlier are impacted, with a fix arriving in a further IOS XE software release.

No known workarounds exist beyond software updates. While organizations unable to immediately upgrade can mitigate some risk by limiting SNMP access to trusted users and network segments, Cisco advises that these are only temporary measures.

The company’s security bulletin further instructs administrators on verifying the presence of SNMP and potentially affected configurations through command-line tools. Devices running IOS XR and NX-OS are confirmed as unaffected.

The same update that addressed the SNMP flaw also included patches for 13 other vulnerabilities. Two of these are considered significant: a reflected cross-site scripting weakness (CVE-2025-20240) permitting attackers to potentially steal session cookies, and a denial-of-service flaw (CVE-2025-20149) that can be triggered by authenticated local users. Both have proof-of-concept exploit code available publicly.

Cisco’s IOS and IOS XE platforms are foundational to global networking infrastructure, making vulnerabilities with the potential for remote code execution and denial of service particularly significant for enterprise operations and internet service providers. SNMP’s pervasive use for network monitoring and management, coupled with default or weak credential usage in some environments, continues to place heightened importance on timely security response.