Latest Cisco IOS and IOS-XE vulnerability: CVE-2025-20352 #
Cisco has disclosed a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem on Cisco devices running certain versions of Cisco IOS and IOS XE software. This flaw could allow a remote, authenticated adversary to perform the following actions:
- Denial-of-Service (DoS): An adversary with low privileges can cause a DoS condition on an affected device running either Cisco IOS or IOS XE. This requires the read-only community string for SNMPv1 or SNMPv2c or valid SNMPv3 user credentials.
- Remote Code Execution (RCE): An adversary with high privileges can execute arbitrary code as the root user on an affected device running Cisco IOS XE. This requires both SNMP credentials (as mentioned above) and administrative (privilege level 15) credentials.
The vulnerability can be exploited through sending a specially crafted SNMP packet to an affected device over an IPv4 or IPv6 network. Successful exploitation by a low-privileged adversary could cause the system to reload, resulting in a DoS condition. A high-privileged adversary could achieve RCE, gaining full control of the system. This vulnerability has been designated CVE-2025-20352 and has been rated high with a CVSS score of 7.7.
Note that while authentication is required, both SNMPv1 and SNMPv2c use cleartext community strings. These strings often have common default values (e.g., public, private) and are vulnerable to interception by an adversary sniffing network traffic.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Multiple versions of Cisco IOS and IOS XE; see the official Cisco advisory (cisco-sa-snmp-x4LPhte) for a complete list
- Cisco IOS XE Catalyst SD-WAN versions 16.9.1, 16.9.2, 16.9.3, 16.9.4, 16.10.1, 16.10.2, 16.10.3, 16.10.3a, 16.10.3b, 16.10.4, 16.10.5, 16.10.6, 16.11.1a, 16.12.1b, 16.12.1d, 16.12.1e, 16.12.2r, 16.12.3, 16.12.4, 16.12.4a, 16.12.5
- Cisco Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier
What is the impact? #
Successful exploitation of the vulnerability would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- For general Cisco IOS and IOS XE devices: Consult the official Cisco advisory (cisco-sa-snmp-x4LPhte) and use the Cisco Software Checker tool to identify the appropriate patched software release and upgrade to that version.
- For Cisco Meraki MS390 and Cisco Catalyst 9300 Series Switches: upgrade to Cisco IOS XE version 17.15.4a or later.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
(os:="Cisco IOS" OR os:="Cisco IOS XE" OR hw:="Cisco Meraki MS390%" OR hw:="Cisco Meraki C9300%") AND has:snmp.v2DefaultCommunities
May 2025: CVE-2025-20188 #
Cisco has disclosed a vulnerability for its IOS-XE operating system when running on Catalyst wireless LAN controllers. If successfully exploited, this vulnerability would allow a remote, unauthenticated attacker to upload arbitrary files to a vulnerable system. Successfully exploiting this vulnerability could result in arbitrary code execution with root privileges.
The vulnerability has been assigned CVE-2025-20188 and has a CVSS score of 10.0 (critical).
What is the impact? #
Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code with root privileges.
Are updates or workarounds available? #
Cisco has made software updates available and advises customers to update as quickly as possible.
This vulnerability can also be mitigated by disabling the "Out-of-Band AP Image Download" feature on affected systems.
How runZero users found potentially vulnerable systems #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
os:="Cisco IOS XE" AND hw:"Catalyst" AND (
(osversion:>="17.7.0" AND osversion:<="17.7.1")
OR (osversion:>="17.10.0" AND osversion:<="17.10.1")
OR (osversion:>="17.8.0" AND osversion:<="17.8.1")
OR (osversion:>="17.9.0" AND osversion:<="17.9.5")
OR (osversion:>="17.11.0" AND osversion:<="17.11.1")
OR (osversion:>="17.12.0" AND osversion:<="17.2.3")
OR (osversion:>="17.13.0" AND osversion:<="17.13.1")
OR (osversion:>="17.14.0" AND osversion:<="17.14.1")
OR (osversion:>="17.11.0" AND osversion:<="17.11.99")
)
September 2024: Multiple CVEs #
Cisco released its semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication which includes software updates that addresses the following vulnerabilities in their IOS & IOS XE software.
CVE | Status | CVSS Score |
High | 8.6 | |
High | 8.6 | |
High | 8.6 | |
High | 8.6 | |
High | 8.6 | |
High | 8.6 | |
High | 8.1 | |
Medium | 6.5 | |
Medium | 6.5 | |
Medium | 5.8 | |
Medium | 4.7 | |
Medium | 4.3 |
What is the impact? #
Successful exploitation of these vulnerabilities range from denial-of-service attacks, privilege escalation, and arbitrary code execution.
Are updates or workarounds available? #
Cisco has indicated on each of these there are software updates available that its customers should apply to fix the issues outline in the advisory.
How runZero users found potentially vulnerable systems #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
os:"Cisco IOS%"
October 2021: Multiple CVEs #
Cisco Systems has disclosed 14 vulnerabilities in their devices which run Cisco IOS & IOS XE software.
CVE | Status | CVSS Score |
High | 8.6 | |
High | 8.6 | |
High | 8.6 | |
High | 8.6 | |
High | 7.4 | |
High | 7.4 | |
High | 7.4 | |
High | 7.4 | |
Medium | 6.5 | |
Medium | 6 | |
Medium | 5.8 | |
Medium | 5.6 | |
Medium | 5.5 |
What is the impact? #
Successful exploitation of these vulnerabilities range from denial-of-service attacks, privilege escalation, and arbitrary code execution.
Are updates or workarounds available? #
There are no workarounds for these vulnerabilities.
Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
How runZero users found potentially vulnerable systems #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
os:"Cisco IOS%"
October 2021: CVE-2023-20198 #
In October 2021, an actively exploited critical zero-day vulnerability surfaced in the Cisco IOS-XE operating system, used on Cisco routers, switches, and other devices. Deemed “critical” in severity with a CVSS score of 10 out of 10, this vulnerability affected any device running Cisco IOS-XE with the Web UI component enabled.
What was the impact? #
Upon successful exploitation, this vulnerability (tracked as CVE-2023-20198) allowed attackers to execute arbitrary commands on the vulnerable system. This included the creation of privileged users, installation of additional modules or code, and, in general, total system compromise.
Cisco recommended disabling the Web UI component of all Internet-facing IOS-XE devices.
How runZero users found potentially vulnerable systems #
From the Services Inventory, the following query was used to locate assets running the Cisco IOS-XE operating system in a network that exposed a web interface and which may have needed remediation or mitigation:
(products:nginx OR products:openresty) AND _asset.protocol:http AND protocol:http AND http.body:"window.onload=function%url%=%/webui"