Cisco Patches Critical Zero-Day Flaw Actively Under Attack
▼ Summary
– Cisco has fixed 14 vulnerabilities, including a high-severity zero-day vulnerability tracked as CVE-2025-20352 that has been actively exploited.
– The CVE-2025-20352 vulnerability is a stack overflow in the SNMP subsystem of Cisco IOS and IOS XE software, triggered by a crafted SNMP packet.
– Successful exploitation can allow an attacker to cause a denial-of-service (DoS) condition or execute arbitrary code with root-level control of the system, depending on their credentials.
– Cisco confirmed successful exploitation occurred in the wild after local Administrator credentials were compromised by attackers.
– Customers are advised to check for affected software versions and either upgrade to a fixed release or implement a temporary mitigation by restricting SNMP access to trusted users.
Cisco has released critical security updates addressing a total of 14 vulnerabilities within its IOS and IOS XE software. The most significant of these is a high-severity flaw, identified as CVE-2025-20352, which has already been exploited in real-world zero-day attacks. This situation underscores the urgent need for network administrators to assess their systems and apply the necessary patches.
The vulnerability exists as a stack overflow within the Simple Network Management Protocol (SNMP) subsystem. It impacts a wide range of Cisco devices, from older Catalyst switches and Integrated Services Routers running IOS to modern high-performance routers, switches, and wireless controllers powered by IOS XE. An attacker can trigger the flaw by sending a specially crafted SNMP packet to a susceptible device over an IPv4 or IPv6 network.
The potential consequences of a successful attack are severe. Cisco warns that exploitation could lead to one of two outcomes. A low-privileged attacker could force the affected system to reload, creating a denial-of-service (DoS) condition. More alarmingly, an attacker with administrative-level access could achieve arbitrary code execution with root privileges, granting them complete control over the compromised device. For the more serious code execution attack, the threat actor must possess specific SNMP credentials along with administrative (privilege 15) credentials on the target system.
Evidence suggests that attackers in the wild have already managed to obtain these high-level credentials. Cisco’s Product Security Incident Response Team (PSIRT) confirmed active exploitation occurred after local administrator credentials were compromised.
While Cisco has not published an exhaustive list of every vulnerable software release, it has confirmed that Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 or earlier are among the affected platforms. Organizations are strongly encouraged to determine their exposure by using the Cisco Software Checker tool or the form provided in the official security advisory.
If a device is found to be running a vulnerable software version, the primary course of action is to upgrade to a fixed release as soon as possible. For situations where an immediate update is not feasible, Cisco recommends a temporary mitigation strategy. Administrators should restrict SNMP access to trusted users only on any system that cannot be patched immediately, thereby reducing the attack surface.
(Source: HelpNet Security)
