Cisco has disclosed a serious security vulnerability in IOS and IOS XE software that allows both denial of service and remote code execution via the Simple Network Management Protocol, or SNMP for short.
This is an actively exploited zero-day vulnerability. It is registered as CVE-2025-20352. The vulnerability has a CVSS score of 7.7.
The vulnerability is caused by a stack overflow in the SNMP subsystem. An attacker with valid SNMP credentials can use specially crafted packets to disrupt the operation of an affected device or even gain complete control. With low privileges, the system can be restarted. This results in a denial-of-service attack. With higher privileges, arbitrary code can be executed as root. Full administrative privileges are then available and attackers can take complete control of the infrastructure.
Two million vulnerable devices
Research using the Shodan search engine indicates that approximately two million Cisco devices worldwide may be vulnerable due to their SNMP interfaces being directly exposed to the internet. This number makes it clear that the potential impact is very significant, especially given the role of Cisco equipment in corporate networks and critical infrastructure. Cisco also confirms that the vulnerability is already being actively exploited after attackers gained access to compromised administrator accounts.
The problem affects all devices running Cisco IOS or IOS XE that have SNMP enabled without explicitly excluding the affected object IDs. Meraki MS390 and Cisco Catalyst 9300 switches running Meraki CS 17 or older are also vulnerable. For this category, the bug has been fixed in IOS XE release 17.15.4a.
No viable workarounds
Cisco emphasizes that there are no workable workarounds. There is a mitigation that allows specific OIDs to be excluded, but this can disrupt SNMP functionality. The only structural solution is to install the patches released by Cisco.
The vulnerability is part of a broader September update in which Cisco fixed fourteen security vulnerabilities. Eight of these received a high CVSS score. Organizations are strongly advised to upgrade their devices and restrict SNMP access to trusted users whenever possible.
Due to the combination of active exploitation, the enormous scale of exposed systems, and the lack of simple workarounds, this vulnerability is currently considered one of the most urgent threats to Cisco environments.
Tip: Cisco Sovereign Critical Infrastructure gives customers complete control over infrastructure