Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Rockwell warns Lifecycle Services is affected by Cisco CVE-2025-20352
Rockwell Automation published an advisory stating that its Lifecycle Services is vulnerable to Cisco CVE-2025-20352. This expanded the story beyond Cisco's own products by identifying downstream exposure in a vendor service offering.
Cisco releases fixes for CVE-2025-20352
Cisco released software updates to address CVE-2025-20352, including IOS XE version 17.15.4a, and recommended immediate patching, restricting SNMP access, and increasing monitoring. The issue was described as affecting a large number of devices globally, including certain Meraki MS390 and Catalyst 9300 platforms running vulnerable software.
Cisco SNMP flaw CVE-2025-20352 is exploited in the wild
A critical stack overflow vulnerability in the SNMP subsystem of Cisco IOS and IOS XE, tracked as CVE-2025-20352, was reported as being actively exploited in the wild. The flaw affects all SNMP versions on impacted devices and can allow an authenticated remote attacker to cause denial of service or execute code as root using stolen or mismanaged SNMP credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stack-Based Buffer Overflow Vulnerability in Rockwell Automation Devices Using Cisco IOS XE
Rockwell Automation has disclosed a critical stack-based buffer overflow vulnerability affecting several of its products that utilize Cisco IOS XE Software. The vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE, which is integrated into Rockwell Automation's Stratix series switches and various Lifecycle Services offerings. Specifically, the affected Stratix models include the 5700, 5400, 5410, 5200, and 5800, with vulnerable firmware versions identified as v15.2(8)E7 and prior for the 5700, 5400, and 5410, and v17.17.01 and prior for the 5200 and 5800. Additionally, Rockwell Automation's Industrial Data Center (IDC) with Cisco Switching (Generations 1-5), IDC-Managed Support contracts, Network-Managed Support contracts, and Firewall-Managed Support contracts with Cisco hardware are also impacted. The vulnerability can be exploited remotely with low attack complexity, requiring only SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials for a denial-of-service (DoS) attack. For arbitrary code execution as the root user, an attacker would need SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials with administrative or privilege 15 access. Exploitation is possible by sending crafted SNMP packets over IPv4 or IPv6 networks to the affected devices. Successful exploitation could allow an attacker to execute arbitrary code or cause a DoS condition, posing significant risks to industrial control systems and critical infrastructure environments where these devices are deployed. The vulnerability is rated with a CVSS v4 base score of 6.3, indicating a medium to high severity. Rockwell Automation has advised customers to review their SNMP configurations, restrict network access to trusted sources, and apply available patches or mitigations as soon as possible. The vulnerability is considered particularly concerning due to the widespread use of Cisco IOS XE in industrial environments and the potential for attackers to gain elevated privileges. Both advisories emphasize the importance of following best practices for network segmentation and access control to limit exposure. Organizations are urged to monitor for unusual SNMP activity and to ensure that only necessary SNMP services are enabled. The advisories also recommend disabling unused SNMP versions and enforcing strong authentication for SNMPv3. This vulnerability highlights the risks associated with third-party software components in industrial automation products and underscores the need for timely patch management and robust network defenses. The disclosure was coordinated with CISA, which has published advisories to inform and assist asset owners in mitigating the threat. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for attackers with appropriate credentials. The affected products are widely deployed in critical infrastructure sectors, making prompt remediation essential to prevent potential operational disruptions or compromise.
Mar 21, 2026
Operation Zero Disco: Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 for Rootkit Deployment
Attackers launched a coordinated campaign known as Operation Zero Disco, exploiting a critical vulnerability in Cisco's Simple Network Management Protocol (SNMP), identified as CVE-2025-20352. This vulnerability enables remote code execution (RCE) on affected Cisco switches, allowing threat actors to implant persistent Linux rootkits. The primary targets of this operation were Cisco 9400, 9300, and legacy 3750G series switches, particularly those running older Linux systems lacking modern endpoint detection and response (EDR) solutions. Attackers leveraged the SNMP flaw to gain unauthorized access, set universal passwords, and install hooks directly into the IOSd memory space, ensuring deep persistence and evasion from standard security monitoring. In addition to exploiting CVE-2025-20352, the attackers attempted to leverage a modified Telnet vulnerability, based on the older CVE-2017-3881, to further enable memory access and expand their foothold. The operation was characterized by the use of spoofed IP addresses and Mac email accounts to obfuscate the origin of the attacks and complicate attribution. Security researchers observed that the rootkits deployed were specifically designed to hide malicious activity and resist blue-team investigation, making detection and remediation more challenging. The campaign highlighted the risks associated with unpatched or unsupported network infrastructure, especially in environments where legacy devices are still in operation. Trend Micro's research emphasized the importance of advanced threat detection solutions, such as Trend Cloud One Network Security and Deep Discovery Inspector, which can identify Cisco-specific exploits and malicious controller communications. These tools utilize extended detection and response (XDR) capabilities and virtual patching to mitigate risks in hybrid cloud and traditional network environments. The incident underscores the need for organizations to promptly apply security advisories, update device firmware, and implement network segmentation to limit the impact of such exploits. Cisco's advisory on CVE-2025-20352 provided technical details and mitigation steps, but the operation demonstrated that attackers are quick to weaponize newly disclosed vulnerabilities. The use of rootkits on network devices represents a significant escalation in attacker sophistication, as it allows for long-term persistence and potential lateral movement within compromised environments. The campaign also serves as a warning for organizations relying on legacy hardware, which may not receive timely security updates or support. Security teams are advised to monitor for unusual SNMP activity, unauthorized configuration changes, and signs of rootkit installation on network devices. The Operation Zero Disco campaign is a stark reminder of the evolving threat landscape targeting network infrastructure and the critical importance of proactive vulnerability management.
Mar 21, 2026
Cisco IOS XE Flaws Enable Remote Code Execution and Device Takeover
Multiple vulnerabilities in **Cisco IOS** and **Cisco IOS XE** devices have exposed routers, switches, access points, and Catalyst 9000 platforms to severe compromise, including **remote code execution**, **denial of service**, **access control bypass**, **privilege escalation**, **secure boot bypass**, **cross-site scripting**, and memory corruption. Traficom highlighted newly disclosed flaws such as `CVE-2025-20334` and `CVE-2025-20363`, which may allow arbitrary code execution, and urged organizations to update affected products in line with Cisco’s version-specific advisories. The warning follows earlier real-world attacks against internet-exposed Cisco IOS XE Web GUI instances, where attackers exploited `CVE-2023-20198` and `CVE-2023-20273` to create unauthorized administrator accounts, install a backdoor implant, and seize full control of devices. Cisco Talos reported the campaign affected exposed systems internationally, with tens of thousands of vulnerable devices identified online, while Finnish authorities said some domestic devices had already been backdoored and advised restricting Web GUI access to trusted networks or removing public internet exposure entirely.
Apr 22, 2026