As many as 2 million Cisco devices are susceptible to an actively exploited zeroday that can remotely crash or execute code on vulnerable systems.
Cisco said Wednesday that the vulnerability, tracked as CVE-2025-20352, was present in all supported versions of Cisco IOS and Cisco IOS XE, the operating system that powers a wide variety of the company’s networking devices. The vulnerability can be exploited by low-privileged users to create a denial-of-service attack or by higher-privileged users to execute code that runs with unfettered root privileges. It carries a severity rating of 7.7 out of a possible 10.
Exposing SNMP to the Internet? Yep
“The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised,” Wednesday’s advisory stated. “Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”
The vulnerability is the result of a stack overflow bug in the IOS component that handles SNMP (simple network management protocol), which routers and other devices use to collect and handle information about devices inside a network. The vulnerability is exploited by sending crafted SNMP packets.
To execute malicious code, the remote attacker must have possession of read-only community string, an SNMP-specific form of authentication for accessing managed devices. Frequently, such strings ship with devices. Even when modified by an administrator, read-only community strings are often widely known inside an organization. The attacker would also require privileges on the vulnerable systems. With that, the attacker can obtain RCE (remote code execution) capabilities that run as root.
“If you get RCE as root, you’re getting higher than admin privileges,” independent researcher Kevin Beaumont wrote in an online interview. “You’re not supposed to be able to get root on those devices.”
To perform a DOS, all an attacker needs is the read-only community string or valid SNMPv3 user credentials.
Making SNMP devices accessible to Internet interfaces is frowned upon because it unnecessarily exposes networks to precisely these sorts of risks. As Beaumont noted on Mastodon, however, the Shodon search engine indicates that more than 2 million devices around the world do just that.
The best protection against exploitation is to install an update Cisco has released. For those who can’t do so right away, they can mitigate the risk by allowing only trusted users to have SNMP access and to monitor Cisco devices using the snmp command in the terminal window. There are no workarounds. There are also no additional details about in-the-wild exploitation.
CVE-2025-20352 is one of 14 vulnerabilities Cisco patched in its September update release. Eight of the vulnerabilities carried severity ratings ranging from 6.7 to 8.8.
Proton Mail’s updated app adds an offline mode