Cisco Warns: Patch This Critical RCE & DoS Bug Now
▼ Summary
– Cisco has disclosed a high-severity flaw (CVE-2025-20352) in IOS and IOS XE Software that allows remote code execution or a denial-of-service (DoS) condition.
– This vulnerability, which has been exploited in the wild, is a stack overflow in the SNMP subsystem and affects all versions of SNMP.
– An attacker can exploit it by sending a crafted SNMP packet over IPv4 or IPv6, but requires specific credentials depending on the desired outcome (DoS or code execution).
– The flaw impacts Meraki MS390 and Cisco Catalyst 9300 Series Switches running certain software, and a fix is available in Cisco IOS XE Software Release 17.15.4a.
– While there are no direct workarounds, mitigation involves disabling affected OIDs or restricting SNMP access to trusted users, though this may impact device management.
A critical security vulnerability has been identified in Cisco’s IOS and IOS XE Software, posing a significant threat to network infrastructure. This high-severity flaw, if exploited, could grant a remote attacker the ability to execute arbitrary code or cause a complete denial-of-service (DoS) condition. The urgency is heightened as Cisco has confirmed this specific vulnerability, tracked as CVE-2025-20352 with a CVSS score of 7.7, is already being actively exploited following a compromise of local administrator credentials.
The root of the problem lies within the Simple Network Management Protocol (SNMP) subsystem, where a stack overflow condition creates the opening for an attack. An authenticated attacker can trigger this flaw by sending a specially crafted SNMP packet to a vulnerable device over an IPv4 or IPv6 network. The outcome of the attack depends entirely on the level of access the attacker possesses. With lower-level credentials, the result is typically a service-disrupting DoS event. However, an attacker armed with high-privilege administrative credentials can achieve arbitrary code execution with root-level permissions, effectively seizing full control of the system.
Successful exploitation is not universal and hinges on specific prerequisites. To initiate a simple denial-of-service attack, the malicious actor must have obtained either the SNMPv2c (or earlier) read-only community string or valid SNMPv3 user credentials. Achieving the more severe outcome of arbitrary code execution requires a greater level of access. The attacker would need the SNMPv1 or v2c read-only community string, valid SNMPv3 user credentials, and, critically, administrative or privilege level 15 credentials on the targeted device.
This vulnerability impacts all versions of SNMP. Specific hardware affected includes Meraki MS390 and Cisco Catalyst 9300 Series Switches that are running Meraki CS 17 and earlier versions. A permanent fix is available in Cisco IOS XE Software Release 17.15.4a. It is important to note that Cisco IOS XR Software and NX-OS Software are not vulnerable to this particular issue. Cisco emphasizes that any device with SNMP enabled is considered vulnerable unless it has been specifically configured to exclude the affected object identifier (OID).
Cisco has stated that there are no direct workarounds to eliminate the threat of CVE-2025-20352. However, administrators can implement important mitigation strategies to reduce risk. The primary recommendation is to restrict SNMP access exclusively to trusted users on any vulnerable system. Network administrators should also proactively monitor their systems using commands like “show snmp host.” Another potential mitigation involves disabling the specific OIDs associated with the vulnerability on the device, though this action may disrupt certain SNMP management functions like device discovery and hardware inventory. If a particular software version does not support the listed OID, that device is not considered vulnerable.
(Source: The Hacker News)
