Denial of Service and Code Execution Vulnerability in Cisco IOS Software and Cisco IOS XE Software
CVE-2025-20352
Key Information:
- Vendor
Cisco
- Vendor
- CVE Published:
- 24 September 2025
Badges
What is CVE-2025-20352?
CVE-2025-20352 is a severe vulnerability found in Cisco IOS Software and Cisco IOS XE Software, affecting devices that utilize Simple Network Management Protocol (SNMP). This vulnerability arises from a stack overflow condition in the SNMP subsystem, which can be exploited by authenticated attackers. Specifically, a low-privileged attacker can induce a denial of service (DoS) on the affected devices, causing them to reload and become temporarily unavailable. More critically, an attacker with higher privileges can execute arbitrary code as the root user, granting full control over affected systems. This vulnerability is particularly concerning due to the widespread deployment of Cisco's IOS software in enterprise networks, where stability and security are paramount.
Potential impact of CVE-2025-20352
-
Denial of Service (DoS): Exploitation of this vulnerability by low-privileged attackers can lead to a DoS condition, rendering affected devices inoperable and disrupting network services. This disruption can affect critical business operations and result in financial losses.
-
Remote Code Execution: High-privileged attackers can exploit this vulnerability to execute arbitrary code as the root user on affected devices. This could lead to full system compromise, allowing attackers to manipulate network traffic, access sensitive data, and deploy additional malware within the network.
-
Widespread Network Exposure: Given the extensive use of Cisco devices in various organizations, the vulnerability poses a significant risk of broad network exposure, making it a prime target for sophisticated cyber threats. The potential for widespread exploitation increases the urgency for organizations to address this vulnerability promptly to safeguard their infrastructure.
CISA has reported CVE-2025-20352
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-20352 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Cisco IOS XE Catalyst SD-WAN 16.9.1
Cisco IOS XE Catalyst SD-WAN 16.9.2
Cisco IOS XE Catalyst SD-WAN 16.9.3
News Articles
Hackers exploit Cisco SNMP flaw to deploy rootkit on switches
Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices to deploy a Linux rootkit and gain persistent access.
1 week ago
The Hacker NewsCVE-2025-20352Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in "Zero Disco' Attacks
Operation Zero Disco exploits Cisco IOS flaw CVE-2025-20352 to deploy persistent Linux rootkits
1 week ago
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits
Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.
1 week ago
References
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 📰
First article discovered by The Hacker News
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved