Cisco has issued a security advisory warning of a critical flaw in its IOS and IOS XE Software, tracked as CVE-2025-20352 with a CVSS score of 7.7, which affects the SNMP subsystem and has already been exploited in the wild.
The flaw exists due to a stack overflow condition in the SNMP subsystem. According to Cisco, “A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS)… [or] an authenticated, remote attacker with high privileges could execute code as the root user.”
Attackers can exploit the bug by sending crafted SNMP packets to affected devices over IPv4 or IPv6 networks, potentially leading to full system compromise.
Cisco warns that this vulnerability affects all versions of SNMP and multiple Cisco products. The advisory highlights that, “A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system.”
Devices confirmed as vulnerable include Cisco IOS Software, Cisco IOS XE Software, and even Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 or earlier. Cisco confirmed, “This is fixed in Cisco IOS XE Software Release 17.15.4a.”
The Cisco Product Security Incident Response Team (PSIRT) has confirmed active exploitation: “The Cisco PSIRT became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised.”
This makes patching especially urgent for organizations relying on Cisco networking gear.
Unfortunately, there are no complete workarounds for this vulnerability. Cisco states, “There are no workarounds that address this vulnerability. However, there is a mitigation. Administrators are advised to allow only trusted users to have SNMP access on an affected system.”
As an additional mitigation step, administrators can exclude the affected Object IDs (OIDs) by configuring SNMP views, though this may negatively affect device management. For example:
!Standard VIEW and Security Exclusions
snmp-server view NO_BAD_SNMP iso included
snmp-server view NO_BAD_SNMP snmpUsmMIB excluded
snmp-server view NO_BAD_SNMP snmpVacmMIB excluded
snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded
!End Standard View !Advisory Specific Mappings
!CISCO-AUTH-FRAMEWORK-MIB
snmp-server view NO_BAD_SNMP cafSessionMethodsInfoEntry.2.1.111 excluded
To then apply this configuration to a community string, use the following command:
snmp-server community mycomm view NO_BAD_SNMP ROFor SNMPv3, use the following command:
snmp-server group v3group auth read NO_BAD_SNMP write NO_BAD_SNMPCisco warns that exclusions may disrupt discovery and hardware inventory functions, so organizations should test carefully before deploying.
- Cisco Systems exists Hardcoded Backdoor Account
- Cisco Smart Install Protocol was misused, tens of thousands of critical infrastructure may be attacked
- Cisco Patches Vulnerabilities in Integrated Management Controller, SNMP Implementation
- Stack-Based Buffer Overflow in Squid Could Let Hackers Execute Arbitrary Code
