Cisco has fixed 14 vulnerabilities in IOS and IOS XE software, among them CVE-2025-20352, a high-severity vulnerability that has been exploited in zero-day attacks.
About CVE-2025-20352
Cisco IOS software can be found on older models of Cisco Catalyst switches, Integrated Services Routers, and small enterprise and branch routers, as well as many legacy platforms.
Cisco IOS XE software powers many of the company’s high-performance wireless controllers, routers and switches, including virtual routers and industrial networking devices.
CVE-2025-20352 is a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software. It can be triggered by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks.
“A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system,” the company explained.
“To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device.”
It seems that the attackers had the latter, as the Cisco PSIRT “became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised.”
Update or mitigate
Cisco did not specify all the vulnerable IOS and IOS XE software releases, but noted that Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier are also affected.
Customers have been advised to use the Cisco Software Checker or a form in the security advisory to check whether their devices are running an affected version.
If the result they get is positive, they can upgrade to a specified fixed version. If that’s not immediately possible, Cisco has also shared a temporary mitigation: Administrators should allow only trusted users to have SNMP access on an affected system.