CVE-2025-20352

What is Cisco IOS and IOS XE SNMP?

Cisco IOS and IOS XE are the operating systems powering Cisco routers, switches, and network appliances — deployed ubiquitously in enterprise network infrastructure. Simple Network Management Protocol (SNMP) is the standard protocol used to monitor and manage network devices. SNMP is enabled on most Cisco IOS/IOS XE devices by default and can be accessed via network management systems with configured community strings or credentials. Vulnerabilities in the SNMP implementation affect every IOS/IOS XE device with SNMP enabled — potentially millions of devices globally.

Overview

CVE-2025-20352 is a stack-based buffer overflow (CWE-121) in the SNMP subsystem of Cisco IOS and IOS XE that has two distinct exploitation impacts depending on attacker privileges:

1. Denial of Service (CVSS 7.7, Low privileges): An attacker with only SNMP read-only community string access can send crafted SNMP packets to cause the device to reload — achieving a DoS against network infrastructure.

2. Remote Code Execution (higher severity, High privileges): An attacker with administrative Privilege Level 15 credentials AND SNMP access can exploit the overflow for RCE, executing arbitrary code as root on IOS XE devices.

CISA confirmed active exploitation and added the vulnerability to the KEV catalog on September 29, 2025, five days after the advisory.

Affected Versions

The affected versions span multiple Cisco IOS/IOS XE release trains. Use the Cisco Software Checker at the advisory URL to determine if your specific software version is affected. Major affected trains include IOS 12.2, 15.x and IOS XE 3.x, 16.x, and many current releases.

Technical Details

The stack-based buffer overflow (CWE-121) occurs in the SNMP protocol handling code in Cisco IOS and IOS XE. When a device processes a specially crafted SNMP packet, insufficient validation of the payload size allows the stack buffer allocated for processing to be overflowed, corrupting the stack frame.

Two attack scenarios:

Scenario 1 — DoS (PR:L, Low privileges):

• Attacker has SNMP v1/v2c read-only community string credentials (widely shared, often default public)
• Sends crafted SNMP packet → device reload (denial of service on the network device)
• CVSS 7.7 reflects the Changed scope (S:C) — one device's crash affects downstream network connectivity

Scenario 2 — RCE (PR:H, High privileges):

• Attacker has admin credentials (Privilege Level 15) AND SNMP credentials
• Can exploit the overflow for code execution as root on IOS XE devices
• Reflects a scenario where attacker already has high privileges and escalates further

Key characteristics:

• Affects SNMP v1, v2c, and v3 processing paths
• SNMP is UDP-based — no TCP handshake, no connection state to monitor
• DoS attacks against core network devices can cause widespread network outages

Discovery

Cisco PSIRT. Active exploitation was observed before the September 29 CISA KEV listing.

Exploitation Context

Active exploitation was confirmed by Cisco and CISA. The DoS attack vector (low privileges required) is particularly dangerous for network infrastructure — an attacker who compromises SNMP community strings (often found in configuration files, network management tools, or via credential stuffing) can cause targeted network device reboots. In network environments, this can be used as a precursor to traffic interception or routing manipulation.

Remediation

1. Upgrade Cisco IOS/IOS XE to a fixed release per the Cisco Software Checker at the advisory URL. The CISA deadline was October 20, 2025.
2. Restrict SNMP access via access control lists (ACLs) — limit SNMP queries to only known management systems' IP addresses.
3. Rotate SNMP community strings if they were configured with default values (public, private) or widely shared strings.
4. Migrate from SNMP v1/v2c to SNMPv3 — v3 provides authentication and encryption, making community string attacks infeasible.
5. Disable SNMP entirely on devices that do not require it: no snmp-server in IOS/IOS XE configuration.
6. Monitor for unexpected SNMP traffic from non-management source IPs using interface ACLs and logging.