Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
Sources
Related Stories
Stack-Based Buffer Overflow Vulnerability in Rockwell Automation Devices Using Cisco IOS XE
Rockwell Automation has disclosed a critical stack-based buffer overflow vulnerability affecting several of its products that utilize Cisco IOS XE Software. The vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE, which is integrated into Rockwell Automation's Stratix series switches and various Lifecycle Services offerings. Specifically, the affected Stratix models include the 5700, 5400, 5410, 5200, and 5800, with vulnerable firmware versions identified as v15.2(8)E7 and prior for the 5700, 5400, and 5410, and v17.17.01 and prior for the 5200 and 5800. Additionally, Rockwell Automation's Industrial Data Center (IDC) with Cisco Switching (Generations 1-5), IDC-Managed Support contracts, Network-Managed Support contracts, and Firewall-Managed Support contracts with Cisco hardware are also impacted. The vulnerability can be exploited remotely with low attack complexity, requiring only SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials for a denial-of-service (DoS) attack. For arbitrary code execution as the root user, an attacker would need SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials with administrative or privilege 15 access. Exploitation is possible by sending crafted SNMP packets over IPv4 or IPv6 networks to the affected devices. Successful exploitation could allow an attacker to execute arbitrary code or cause a DoS condition, posing significant risks to industrial control systems and critical infrastructure environments where these devices are deployed. The vulnerability is rated with a CVSS v4 base score of 6.3, indicating a medium to high severity. Rockwell Automation has advised customers to review their SNMP configurations, restrict network access to trusted sources, and apply available patches or mitigations as soon as possible. The vulnerability is considered particularly concerning due to the widespread use of Cisco IOS XE in industrial environments and the potential for attackers to gain elevated privileges. Both advisories emphasize the importance of following best practices for network segmentation and access control to limit exposure. Organizations are urged to monitor for unusual SNMP activity and to ensure that only necessary SNMP services are enabled. The advisories also recommend disabling unused SNMP versions and enforcing strong authentication for SNMPv3. This vulnerability highlights the risks associated with third-party software components in industrial automation products and underscores the need for timely patch management and robust network defenses. The disclosure was coordinated with CISA, which has published advisories to inform and assist asset owners in mitigating the threat. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for attackers with appropriate credentials. The affected products are widely deployed in critical infrastructure sectors, making prompt remediation essential to prevent potential operational disruptions or compromise.
5 months agoOperation Zero Disco: Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 for Rootkit Deployment
Attackers launched a coordinated campaign known as Operation Zero Disco, exploiting a critical vulnerability in Cisco's Simple Network Management Protocol (SNMP), identified as CVE-2025-20352. This vulnerability enables remote code execution (RCE) on affected Cisco switches, allowing threat actors to implant persistent Linux rootkits. The primary targets of this operation were Cisco 9400, 9300, and legacy 3750G series switches, particularly those running older Linux systems lacking modern endpoint detection and response (EDR) solutions. Attackers leveraged the SNMP flaw to gain unauthorized access, set universal passwords, and install hooks directly into the IOSd memory space, ensuring deep persistence and evasion from standard security monitoring. In addition to exploiting CVE-2025-20352, the attackers attempted to leverage a modified Telnet vulnerability, based on the older CVE-2017-3881, to further enable memory access and expand their foothold. The operation was characterized by the use of spoofed IP addresses and Mac email accounts to obfuscate the origin of the attacks and complicate attribution. Security researchers observed that the rootkits deployed were specifically designed to hide malicious activity and resist blue-team investigation, making detection and remediation more challenging. The campaign highlighted the risks associated with unpatched or unsupported network infrastructure, especially in environments where legacy devices are still in operation. Trend Micro's research emphasized the importance of advanced threat detection solutions, such as Trend Cloud One Network Security and Deep Discovery Inspector, which can identify Cisco-specific exploits and malicious controller communications. These tools utilize extended detection and response (XDR) capabilities and virtual patching to mitigate risks in hybrid cloud and traditional network environments. The incident underscores the need for organizations to promptly apply security advisories, update device firmware, and implement network segmentation to limit the impact of such exploits. Cisco's advisory on CVE-2025-20352 provided technical details and mitigation steps, but the operation demonstrated that attackers are quick to weaponize newly disclosed vulnerabilities. The use of rootkits on network devices represents a significant escalation in attacker sophistication, as it allows for long-term persistence and potential lateral movement within compromised environments. The campaign also serves as a warning for organizations relying on legacy hardware, which may not receive timely security updates or support. Security teams are advised to monitor for unusual SNMP activity, unauthorized configuration changes, and signs of rootkit installation on network devices. The Operation Zero Disco campaign is a stark reminder of the evolving threat landscape targeting network infrastructure and the critical importance of proactive vulnerability management.
5 months ago
Active exploitation of Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20127)
Government and vendor advisories warned of **active, in-the-wild exploitation** of a critical **improper authentication / authentication bypass** vulnerability in **Cisco Catalyst SD-WAN** (tracked as `CVE-2026-20127`) affecting the **Catalyst SD-WAN Controller** (formerly *vSmart*) and related SD-WAN components. The flaw is in the **peering authentication process** and can allow an **unauthenticated remote attacker** to send crafted requests that result in access as an internal, high-privileged (non-root) administrative account, enabling actions such as **NETCONF access** and manipulation of SD-WAN fabric configuration; multiple national CERT/CSIRT bodies (including Canada’s Cyber Centre and France’s CERT-FR) urged immediate patching or migration off end-of-maintenance releases, noting some affected trains will not receive fixes. Cisco Talos attributed observed exploitation and post-compromise activity to a sophisticated actor tracked as **UAT-8616**, with evidence suggesting activity dating back to **2023**. Partner reporting and CISA guidance described a broader intrusion chain in which actors use `CVE-2026-20127` for initial access, then escalate privileges and persistence—reportedly including **software version downgrade** tactics and subsequent exploitation of `CVE-2022-20775`—leading to **root access** and long-term footholds in SD-WAN environments. CISA added both `CVE-2026-20127` and `CVE-2022-20775` to the **Known Exploited Vulnerabilities (KEV)** catalog and, via **Emergency Directive ED 26-03**, required U.S. FCEB agencies to inventory in-scope Cisco SD-WAN systems, collect forensic artifacts (e.g., snapshots/logs), patch, and assess for compromise; international partners echoed similar hunt-and-mitigate actions.
2 weeks ago