Millions of Cisco Devices Hit by Active 0-Day Attack

▼ Summary
– Up to 2 million Cisco devices are vulnerable to an actively exploited zero-day vulnerability (CVE-2025-20352) that can cause remote crashes or code execution.
– The flaw affects all supported versions of Cisco IOS and IOS XE operating systems and has a severity rating of 7.7 out of 10.
– The vulnerability is a stack overflow bug in the component that handles SNMP (Simple Network Management Protocol) and is exploited by sending crafted SNMP packets.
– Successful exploitation in the wild has been reported, and Cisco strongly recommends customers upgrade to a fixed software release to address the issue.
– To achieve remote code execution, an attacker needs a read-only SNMP community string and specific privileges on the system, which would then grant them root-level access.
A newly identified and actively exploited vulnerability places an estimated two million Cisco networking devices at significant risk. This critical security flaw, designated CVE-2025-20352, enables attackers to either crash systems entirely or execute malicious code with the highest level of system privileges. The issue affects all currently supported versions of the Cisco IOS and Cisco IOS XE operating systems, which run on a vast array of the company’s switches and routers. Security researchers have assigned the vulnerability a severity score of 7.7 out of 10, underscoring its potential for damage.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed it became aware of active exploitation in real-world environments. The company has issued a firm recommendation for all customers to immediately install updated software that contains a fix. The vulnerability stems from a stack overflow bug within the component responsible for processing the Simple Network Management Protocol (SNMP). This protocol is commonly used for collecting performance data from network devices. Attackers can trigger the flaw by sending specially crafted SNMP packets to a vulnerable device.
For an attacker to achieve the more severe outcome of remote code execution, two specific conditions must be met. First, they need to possess the read-only community string, which is a form of password used for SNMP access. These strings are often set to a default value when a device is shipped and, even if changed, may be common knowledge within an organization. Second, the attacker must have some level of user privileges on the target system. If both conditions are satisfied, the attacker can run any code they choose with unrestricted root-level authority over the device.
(Source: Ars Technica)