A vulnerability in Cisco IOS and IOS XE allows attackers to remotely disable or fully take over network equipment. Hackers are already actively exploiting the bug. There are no effective temporary workarounds, but Cisco has released security updates.
Cisco reports a critical security flaw in the SNMP (Simple Network Management Protocol) functionality of devices running IOS or IOS XE. The vulnerability allows attackers with valid credentials to cause a Denial of Service (DoS) or even gain full control of the device, even with low privileges.
From DoS to Full Takeover
A DoS attack requires limited access rights. In that case, the attacker can force the device to reboot, disrupting network service. Those with administrator rights, on the other hand, can execute their own code with root privileges (full access to the system). To do so, attackers must send a crafted SNMP packet over an IPv4 or IPv6 connection.
read also
Cisco Patches Critical Vulnerability in its Secure Firewall Management Center
According to Cisco, the flaw is due to a stack overflow in the operating system’s SNMP component. All SNMP versions (v1, v2c, and v3) are vulnerable. Cisco discovered the issue while handling a support case. After an intrusion using administrator credentials, the vulnerability was found to be exploited.
Active Exploitation
Cisco also observed active exploitation in the wild. The company strongly urges customers to update their systems to a patched version. There are no workarounds available, although mitigating measures are possible, such as restricting SNMP access to trusted users and excluding certain OIDs.
The vulnerability is tracked as CVE-2025-20352 and has a CVSS score of 7.7. The flaw is a classic buffer overflow. Roughly 2 million Cisco devices have SNMP exposed to the internet and may be vulnerable.
Check and Update
Affected are various versions of Cisco IOS and IOS XE. Specific models such as the Meraki MS390 and Cisco Catalyst 9300 series with Meraki CS 17 or earlier are also vulnerable. IOS XR and NX-OS are not affected.
Administrators can check whether SNMP is active via the CLI commands show running-config | include snmp-server community (for SNMPv1/v2c) and show snmp user (for SNMPv3).
Cisco provides mitigating configurations that block the use of vulnerable OIDs, though this may affect SNMP functionality. For long-term protection, Cisco recommends upgrading to a version in which the issue is fixed. You can check whether a system is vulnerable with the Cisco Software Checker.