CVE-2025-20352: Cisco IOS/IOS XE SNMP Zero-Day Exploited in the Wild

A stack-based buffer overflow in the SNMP subsystem of Cisco IOS and IOS XE is under active exploitation. Here’s what it is, how it’s abused, and how to reduce your blast radius fast.

Overview

CVE-2025-20352 is a vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE. Specially crafted SNMP requests can trigger a stack overflow that leads to denial-of-service (device reload) and, in certain conditions, remote code execution (RCE) on IOS XE with root-level impact. Cisco confirms exploitation in the wild and has shipped fixed software.

What makes it dangerous? SNMP is ubiquitous for fleet monitoring; exposure beyond trusted management segments is common; and shared or weak credentials remain prevalent in legacy deployments.

How it Works

The bug stems from improper bounds checking in the SNMP request parsing path. By sending a maliciously structured SNMP packet (v1, v2c, or v3), an attacker can overwrite stack memory. The exact post-overflow outcome depends on the attacker’s access level and target platform:

With low-privileged, authenticated SNMP access, the most immediate and reliable effect is a reload, translating into a denial-of-service on the device. With higher-privileged SNMP context on IOS XE, control of execution flow is possible, enabling code execution as root. Organizations frequently widen SNMP reach for monitoring convenience, so the attack surface often includes core and distribution tiers.

Risks

The operational and security impact is twofold. A DoS on core routers or campus distribution switches can cascade into loss of reachability for branch sites, authentication backends, or east-west services. Successful RCE can grant a durable foothold on network infrastructure: implanting backdoors, disabling telemetry, modifying routing policies, or shaping/duplicating traffic for interception. Because SNMP is still widely enabled and sometimes permitted from semi-trusted networks, this CVE can bridge from monitoring enclaves into the heart of the network.

Possible Use

Consider a multinational enterprise with thousands of IOS XE devices monitored via SNMPv2c using a common community. A contractor laptop with VPN access is phished; the community string is recovered from scripts. The attacker targets a regional core switch, delivering a crafted SNMP request that triggers the overflow. The device reloads, and after change-window confusion, a second stage achieves code execution. A persistent implant disables selected syslog exports and silently mirrors traffic from payment processing VLANs toward an attacker-controlled host. The SOC eventually sees gaps in telemetry and abnormal SNMP errors, but the exfiltration has already begun.

Recommendations

The single most effective control is patching. Cisco has released fixed images; prioritise devices with SNMP exposed beyond a dedicated management network. In parallel, reduce exposure and harden authentication to collapse the viable exploit paths.

Action plan (minimal bullets, high impact):

  • Upgrade immediately to Cisco’s fixed IOS/IOS XE releases. Treat this as emergency maintenance.
  • Restrict SNMP to a management VLAN or out-of-band network; block from untrusted segments and the Internet.
  • Enforce SNMPv3 with strong auth/privacy; phase out v1/v2c communities; rotate any shared credentials.
  • Monitor and hunt for malformed SNMP traffic, spikes in SNMP errors, unexpected device reloads, and config drift.
  • Least-privilege SNMP views and roles; remove stale accounts; review automation scripts that embed creds.

Note: If your operations require SNMP temporarily in broader segments, constrain by ACLs (source IPs of NMS only), rate-limit where feasible, and maintain out-of-band access for recovery.