Cisco patches actively exploited Zero-Day vulnerability in IOS and IOS XE software
Take action: If you have Cisco IOS or IOS XE devices with SNMP enabled, plan to update the devices because this is an activelyexploited flaw. It's not a panic mode patch since the exploit requires authentication, so awareness and security discipline helps. But don't ignore the flaw, patch it soon because it will get hacked given enough time.
Learn More
Cisco Systems has released security updates to patch an actively exploited high-severity vulnerability in Cisco IOS Software and Cisco IOS XE Software that allows authenticated remote attackers to compromise systems through specially crafted SNMP packets.
The flaw is tracked as CVE-2025-20352 (CVSS score 7.7) caused by a stack-based buffer overflow condition in the Simple Network Management Protocol (SNMP) subsystem. This flaw affects all versions of SNMP—including SNMPv1, SNMPv2c, and SNMPv3—making any Cisco device with SNMP enabled potentially vulnerable to exploitation.
The Cisco Product Security Incident Response Team (PSIRT) confirmed that this vulnerability has been exploited in real-world attacks. Cisco discovered the active exploitation during the resolution of a Cisco Technical Assistance Center (TAC) support case, where attackers used the flaw after first compromising local Administrator credentials.
Affected versions include:
- Cisco IOS Software (all versions with SNMP enabled)
- Cisco IOS XE Software (all versions with SNMP enabled)
- Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier
Products confirmed not vulnerable:
- Cisco IOS XR Software
- Cisco NX-OS Software
Organizations can determine if their devices are vulnerable by checking for SNMP configuration. For SNMPv1 or v2c, administrators can use the command show running-config | include snmp-server community. For SNMPv3, the commands show running-config | include snmp-server group and show snmp user will show if the protocol is enabled.
Cisco has released software updates that patch this vulnerability. Organizations can use the Cisco Software Checker tool to identify the fixed versions for their deployments and the appropriate upgrade path. For Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17, the issue is resolved in Cisco IOS XE Software Release 17.15.4a and later versions.
There are no workarounds available to completely address this vulnerability, but Cisco has provided mitigation strategies for organizations that can't immediately deploy patches.
The primary mitigation involves restricting SNMP access to trusted users only and actively monitoring affected systems using the show snmp host CLI command. Administrators can disable specific affected OIDs on devices by creating or updating view entries using the snmp-server view global configuration command.
Cisco strongly recommends that all customers upgrade to fixed software releases to fully remediate CVE-2025-20352 and avoid future exposure. The company emphasizes that any workarounds or mitigations should be considered temporary solutions until patches can be deployed.
