Millions of Cisco Devices Hit by Active 0-Day Attack

A newly identified and actively exploited vulnerability places an estimated two million Cisco networking devices at significant risk. This critical security flaw, designated CVE-2025-20352, enables attackers to either crash systems entirely or execute malicious code with the highest level of system privileges. The issue affects all currently supported versions of the Cisco IOS and Cisco IOS XE operating systems, which run on a vast array of the company’s switches and routers. Security researchers have assigned the vulnerability a severity score of 7.7 out of 10, underscoring its potential for damage.

Cisco’s Product Security Incident Response Team (PSIRT) confirmed it became aware of active exploitation in real-world environments. The company has issued a firm recommendation for all customers to immediately install updated software that contains a fix. The vulnerability stems from a stack overflow bug within the component responsible for processing the Simple Network Management Protocol (SNMP). This protocol is commonly used for collecting performance data from network devices. Attackers can trigger the flaw by sending specially crafted SNMP packets to a vulnerable device.

For an attacker to achieve the more severe outcome of remote code execution, two specific conditions must be met. First, they need to possess the read-only community string, which is a form of password used for SNMP access. These strings are often set to a default value when a device is shipped and, even if changed, may be common knowledge within an organization. Second, the attacker must have some level of user privileges on the target system. If both conditions are satisfied, the attacker can run any code they choose with unrestricted root-level authority over the device.

(Source: Ars Technica)