High Severity SNMP Vulnerability in CISCO IOS & IOS XE Under Active Exploitation (CVE-2025-20352)

Executive Summary

On September 24^th, Cisco published an advisory detailing a high severity vulnerability within the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and Cisco IOS XE devices. The bug, tracked as CVE-2025-20352, is caused by a stack overflow flaw within the SNMP subsystem of the underlying Cisco operating systems and could allow an authenticated attacker with valid “credentials” to cause a denial-of-service (DoS) attack with a valid SNMP read-write string or execute remote code.

Cisco’s Product Security Incident Response Team (PSIRT) has confirmed successful exploitation of this vulnerability in the wild. When exploited, a low-privileged attacker could trigger a condition that forces an affected system to reboot, resulting in a Denial of Service (DoS) condition, while a high privileged attacker could gain complete control over the system. It’s important to note that a vast majority of internet exposed SNMP devices use a default SNMP read-only community string and could be impacted by the DoS condition.

This vulnerability affects all versions of SNMP on Cisco IOS and IOS XE where a device has SNMP enabled. Due to the prevalence and exposure of SNMP on the internet and confirmation of exploitation in the wild, Beazley Security recommends that organizations patch as soon as possible.

Affected Systems or Products

CVE-2025-20352 affects all versions of SNMP implemented on any Cisco products running vulnerable versions of Cisco IOS or Cisco IOS XE. This vulnerability also affects Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 or earlier.

Due to the wide range of Cisco products and underlying operating systems and software, Cisco provides the Cisco Software Checker to get a definitive response on whether a customer is affected.

Mitigations / Workarounds

There are no workarounds that fully address this flaw without patching. However, a potential mitigation strategy exists by leveraging object ID (OID) exclusion, which could negatively impact device management capability via SNMP.

If patching cannot be immediately performed, the following mitigation options may help reduce risk while degrading SNMP management capabilities:

Ensure Access Control Lists (ACLs) are configured on Cisco devices to block SNMP access from the internet and allow only known trusted systems to connect (block ports 161 and 162 at the network perimeter).
Ensure that SNMP community strings are not default (such as “public” for read-only strings) or shared.‍
If SNMP is not required, disable the service until affected systems can be patched.‍
Migrate to SNMPv3 if possible.
Finally, Disable affected OIDs per CISCO’s instructions (provided below):

To create or update a view entry and disable the affected OIDs, use the snmp-server view global configuration command, as shown in the following example:

!Standard VIEW and Security Exclusions
snmp-server view NO_BAD_SNMP iso included
snmp-server view NO_BAD_SNMP snmpUsmMIB excluded
snmp-server view NO_BAD_SNMP snmpVacmMIB excluded
snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded
!End Standard View
!Advisory Specific Mappings
!CISCO-AUTH-FRAMEWORK-MIB
snmp-server view NO_BAD_SNMP cafSessionMethodsInfoEntry.2.1.111 excluded

To then apply this configuration to a community string, use the following command:

snmp-server community $MY_COMMINITY view NO_BAD_SNMP RO

For SNMPv3, use the following command:

snmp-server group v3group auth read NO_BAD_SNMP write NO_BAD_SNMP

Due to the potential impact on other SNMP management functions related to the OID mitigation, we strongly recommend that organizations understand potential impacts from limiting access to affected Object IDs (OIDS). Suggested changes may degrade management capabilities when deployed. Applying available patches rather than implementing the above mitigations is strongly recommended.

Patches

Cisco has released patches for affected product families. Please reference the versions in the Affected Systems and Products section above for specific versioning information to identify impacted products.

Patches are made available by Cisco via their Cisco Software Download Center.

Technical Details

A stack overflow flaw in the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE could allow an authenticated attacker to exploit the vulnerability by sending a specially crafted SNMP packet to an affected system. Specific details on the vulnerability have not been provided by the vendor, but Cisco’s PSIRT team have confirmed successful exploitation of this vulnerability in the wild “after local Administrator credentials were compromised.”

As authentication is required, exploitability reach depends on the credentials available to the attacker. Cisco states that a low-privileged, authenticated attacker can trigger a DoS attack by causing an affected system to reload. To achieve remote code execution, an attacker must be authenticated and have administrative-level access.

BSL cannot confirm at the time of this writing, but based on the contents of Cisco’s advisory, specific SNMP objects may be affected by the vulnerability. The specific mitigations involve creating security exclusions for snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB objects in the SNMP service.

Because SNMP is often exposed to the internet and not always hardened to best practices, an attacker that has the read-only community string makes a low-privileged attack significantly more tangible. These community strings are commonly left unchanged in operational networks. Any attacker who can guess this string, often just the word “public” could have enough information to perform a successful DoS attack. Large internet-scale exposure compounds the risk that attackers may target and successfully exploit vulnerable devices. Ars Technica has reported that nearly 2 million SNMP-exposed Cisco interfaces were discoverable from the internet and Beazley Security Labs has confirmed broad susceptibility across our internet exposure data.

Cisco has provided the below guidance to determine if an organization may have a vulnerable configuration on their device:

Check for SNMPV1 or SNMPv2C

If the command `show running-config | include snmp-server community` shows any output as shown by the example below, SNMP is enabled.

Router# show running-config | include snmp-server community
snmp-server community public ro

Check for SNMPV3

To check for SNMPv3, there are two commands, `show running-config | include snmp-server group` and `show snmp user`, and similar to the above, any output indicates SNMPv3 is enabled. Example output is shown below

Router# show running-config | include snmp-server group
snmp-server group v3group v3 noauth
Router# show snmp user
User name: remoteuser1
Engine ID: 800000090300EE01E71C178C
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: v3group

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management solution to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team