Cisco IOS XE Flaws Enable Remote Code Execution and Device Takeover
Multiple vulnerabilities in Cisco IOS and Cisco IOS XE devices have exposed routers, switches, access points, and Catalyst 9000 platforms to severe compromise, including remote code execution, denial of service, access control bypass, privilege escalation, secure boot bypass, cross-site scripting, and memory corruption. Traficom highlighted newly disclosed flaws such as CVE-2025-20334 and CVE-2025-20363, which may allow arbitrary code execution, and urged organizations to update affected products in line with Cisco’s version-specific advisories.
The warning follows earlier real-world attacks against internet-exposed Cisco IOS XE Web GUI instances, where attackers exploited CVE-2023-20198 and CVE-2023-20273 to create unauthorized administrator accounts, install a backdoor implant, and seize full control of devices. Cisco Talos reported the campaign affected exposed systems internationally, with tens of thousands of vulnerable devices identified online, while Finnish authorities said some domestic devices had already been backdoored and advised restricting Web GUI access to trusted networks or removing public internet exposure entirely.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Authorities recommend updating affected Cisco IOS and IOS XE products
The 2025 advisory recommended that organizations update affected Cisco products in line with Cisco’s version-specific guidance and advisories. The notice highlighted management interfaces, SNMP, TACACS+, certificate services, and Cisco Catalyst 9000 platforms among the affected areas.
Cisco discloses multiple new IOS and IOS XE vulnerabilities
A later security notice described multiple vulnerabilities affecting Cisco IOS and IOS XE devices, including remote code execution, denial of service, access control bypass, privilege escalation, secure boot bypass, cross-site scripting, and memory corruption flaws. Notable issues included CVE-2025-20334 and CVE-2025-20363, both of which could enable remote arbitrary code execution.
Finnish authorities warn owners of exposed Cisco IOS XE devices
Finland’s Kyberturvallisuuskeskus alerted local owners of internet-exposed Cisco IOS XE devices and advised restricting Web GUI access to trusted networks or removing public exposure. It said the number of detected vulnerable devices in Finland had fallen from about 40 to under 20, though some already showed signs of the backdoor malware.
Cisco begins releasing security updates for IOS XE zero-days
Cisco started issuing security updates for the exploited Cisco IOS XE vulnerabilities as the campaign unfolded. The updates began on October 22, 2023, according to the reference.
Cisco Talos identifies backdoor implant and chained CVEs in campaign
Cisco Talos reported that compromised Cisco IOS XE devices contained unauthorized user accounts and a backdoor malware implant. It later identified the campaign as exploiting both CVE-2023-20198 and CVE-2023-20273.
Attackers exploit Cisco IOS XE zero-day via exposed Web GUI
A critical intrusion campaign targeted Cisco IOS XE devices whose Web GUI was exposed to the public internet. The exploitation allowed attackers to create a full administrator account, take control of affected routers, switches, and access points, and install malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Haavoittuvuuksia Cisco IOS ja IOS XE -laitteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceHaavoittuvuuksia Cisco IOS ja IOS XE -laitteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKyberturvallisuuskeskuksen viikkokatsaus - 43/2023 | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco ISE Flaws Expose Networks to RCE and Sensitive Data Disclosure
Cisco disclosed two vulnerabilities in **Cisco Identity Services Engine (ISE)** and **Cisco ISE Passive Identity Connector (ISE-PIC)**, including the critical remote code execution flaw `CVE-2026-20181` and the high-severity information disclosure flaw `CVE-2026-20190`. Cisco said `CVE-2026-20181` carries a CVSS score of **9.1** and can let an authenticated attacker with valid administrative credentials execute arbitrary commands, obtain user-level access, potentially escalate privileges to root, and in single-node deployments trigger a denial-of-service condition. The second flaw, rated **7.5**, can allow an unauthenticated attacker to access sensitive information such as hashed credentials because of improper authorization checks. The affected software includes all releases prior to **3.3**, versions before **3.3 Patch 11** in release 3.3, versions before **3.4 Patch 6** in release 3.4, and versions before **3.5 Patch 4** in release 3.5, according to the Canadian Centre for Cyber Security notice summarizing Cisco’s advisories. Cisco said the vulnerabilities are independent, no workarounds are available, and no confirmed exploitation had been reported at disclosure time. Authorities urged administrators to review Cisco’s advisories and apply the available updates immediately.
Jun 21, 2026
Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
Mar 21, 2026
Cisco IOS XR CLI Privilege Escalation Vulnerabilities Enabling Root Command Execution
Cisco released fixes for **two high-severity privilege-escalation vulnerabilities** in **Cisco IOS XR Software** that could allow an **authenticated, local, low-privileged user** to elevate privileges and either execute arbitrary commands as **root** or obtain full administrative control of affected routing devices. The issues were identified during Cisco internal testing and are described as independent flaws (exploitation of one is not required to exploit the other); Cisco provided software updates to remediate affected versions. One flaw, **CVE-2026-20040**, is caused by insufficient validation of user-supplied arguments to certain *CLI* commands, enabling crafted input to result in root-level command execution. The second, **CVE-2026-20046**, stems from incorrect mapping of a CLI command to task groups, allowing bypass of task-group authorization checks and granting administrative control; it specifically impacts **IOS XRv 9000**. Canada’s Centre for Cyber Security highlighted Cisco’s broader advisory set (AV26-223), which includes these **IOS XR CLI privilege escalation vulnerabilities** alongside other IOS XR denial-of-service issues and web vulnerabilities in Cisco contact center products, and urged organizations to apply vendor updates as they become available.
Apr 11, 2026