Cisco Zero-Day Under Attack: Critical SNMP Flaw in IOS/IOS XE Needs Immediate Patching

by Nam Phong · September 25, 2025

Cisco has released security updates addressing a zero-day in IOS and IOS XE that is already being exploited in the wild. CVE-2025-20352 is a stack-based buffer-overflow in the SNMP subsystem that affects any device with SNMP enabled.

Exploitation requires minimal privileges: an attacker with a low-privilege account can trigger a denial of service, while a compromised higher-privilege account may execute commands as root and seize full control of the device. A single specially crafted SNMP packet sent over IPv4 or IPv6 is sufficient to crash or compromise a target.

Cisco reports that successful intrusions have followed the compromise of administrator credentials. The vendor urges immediate upgrading to patched releases, noting there are no complete workarounds; as a temporary mitigation, organisations should restrict SNMP access to trusted hosts only.

The bulletin also fixes 13 additional issues, including two with published proof-of-concepts: CVE-2025-20240, an unauthenticated XSS in IOS XE that permits cookie theft, and CVE-2025-20149, which allows an authorized local user to force a device reboot.

This advisory follows a May fix for a critical flaw in IOS XE wireless controllers, where attackers could gain control via a hard-coded JSON Web Token—an earlier reminder that vulnerabilities in core Cisco services are actively weaponised. The new CVE-2025-20352 underscores the urgency: organisations must patch promptly to defend against ongoing exploitation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal