Cisco disclosed a **high-severity zero-day vulnerability (CVE-2025-20352)** in its **IOS and IOS XE Software**, actively exploited in the wild. The flaw, a **stack-based buffer overflow** in the **SNMP subsystem**, allows **authenticated remote attackers with low privileges** to trigger **denial-of-service (DoS)** conditions on unpatched devices. High-privileged attackers can **execute arbitrary code as root**, gaining full system control. Exploitation occurs via **crafted SNMP packets** over IPv4/IPv6, with confirmed cases where **local administrator credentials were compromised**.The vulnerability affects **all devices with SNMP enabled**, with no workarounds except patching. Cisco urged immediate upgrades, though temporary mitigation includes **restricting SNMP access to trusted users**. The flaw was discovered after **real-world exploitation**, highlighting critical risks to network infrastructure. Additionally, Cisco patched **13 other vulnerabilities**, including two with public proof-of-concept exploits: a **reflected XSS (CVE-2025-20240)** enabling cookie theft and a **DoS flaw (CVE-2025-20149)** allowing device reloads by local attackers. Prior incidents, such as the **May 2025 IOS XE flaw** (hard-coded JWT exploitation), underscore recurring risks of **unauthenticated remote takeovers** in Cisco’s ecosystem.
TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis2892128092425",
"linkid": "cisco",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Networking Hardware/Software',
'location': 'Global',
'name': 'Cisco Systems, Inc.',
'type': 'Corporation'}],
'attack_vector': ['Network', 'SNMP Protocol (IPv4/IPv6)'],
'customer_advisories': ['Urgent recommendation to apply patches or mitigate '
'SNMP access'],
'description': 'Cisco has released security updates to address a '
'high-severity zero-day vulnerability (CVE-2025-20352) in '
'Cisco IOS and IOS XE Software, currently being exploited in '
'attacks. The flaw is a stack-based buffer overflow in the '
'SNMP subsystem, allowing authenticated remote attackers with '
'low privileges to trigger DoS conditions or, if '
'high-privileged, execute arbitrary code as root. Exploitation '
'occurs via crafted SNMP packets over IPv4/IPv6. Cisco PSIRT '
'confirmed in-the-wild exploitation after local Administrator '
'credentials were compromised. Patches are available, but no '
'workarounds exist beyond limiting SNMP access to trusted '
'users as a temporary mitigation. Two additional '
'vulnerabilities (CVE-2025-20240 and CVE-2025-20149) were also '
'patched, with PoC exploit code available for the former.',
'impact': {'operational_impact': ['Denial-of-Service (DoS) conditions',
'Potential full system control by '
'high-privileged attackers',
'Cookie theft via XSS (CVE-2025-20240)'],
'systems_affected': ['Cisco devices running vulnerable IOS/IOS XE '
'Software with SNMP enabled']},
'initial_access_broker': {'entry_point': ['Compromised local Administrator '
'credentials']},
'investigation_status': 'Ongoing (exploitation confirmed in the wild)',
'post_incident_analysis': {'corrective_actions': ['Patch deployment '
'(CVE-2025-20352, others)',
'SNMP access restrictions'],
'root_causes': ['Stack-based buffer overflow in '
'SNMP subsystem',
'Insufficient input validation for '
'SNMP packets']},
'recommendations': ['Upgrade to fixed software releases immediately',
'Limit SNMP access to trusted users if patching is '
'delayed',
'Monitor for signs of exploitation (e.g., unexpected SNMP '
'traffic, DoS symptoms)',
'Review Administrator credential security '
'post-compromise'],
'references': [{'source': 'Cisco PSIRT Advisory'}],
'response': {'communication_strategy': ['Public advisory via Cisco PSIRT',
'Recommendation for immediate '
'patching'],
'containment_measures': ['Limiting SNMP access to trusted users '
'(temporary mitigation)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Applying security patches for '
'CVE-2025-20352, CVE-2025-20240, and '
'CVE-2025-20149']},
'stakeholder_advisories': ['Cisco PSIRT advisory with patching guidance'],
'title': 'Cisco IOS and IOS XE Software Zero-Day Vulnerability '
'(CVE-2025-20352) Exploited in Wild',
'type': ['Zero-day Exploitation',
'Buffer Overflow',
'Denial-of-Service (DoS)',
'Privilege Escalation',
'Remote Code Execution (RCE)'],
'vulnerability_exploited': [{'cve_id': 'CVE-2025-20352',
'description': 'Stack-based buffer overflow in '
'SNMP subsystem of Cisco IOS/IOS '
'XE Software',
'severity': 'High'},
{'cve_id': 'CVE-2025-20240',
'description': 'Reflected Cross-Site Scripting '
'(XSS) in Cisco IOS XE'},
{'cve_id': 'CVE-2025-20149',
'description': 'Denial-of-Service (DoS) '
'vulnerability in Cisco IOS XE '
'(local attacker)'}]}