Cisco IOS 0-Day RCE Vulnerability Actively Exploited in the Wild

Cisco has disclosed a zero-day vulnerability, CVE-2025-20352, in its widely used IOS and IOS XE software, confirming it is being actively exploited in the wild.

The flaw exists in the Simple Network Management Protocol (SNMP) subsystem and can allow a remote attacker to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition on vulnerable devices.

The vulnerability was first identified during the investigation of a Cisco Technical Assistance Center (TAC) support case.

The vulnerability is rooted in a stack overflow condition (CWE-121) within the SNMP subsystem of both Cisco IOS and IOS XE software. An attacker can trigger this flaw by sending a crafted SNMP packet over an IPv4 or IPv6 network to an affected device.

The advisory, published on September 24, 2025, confirms that all versions of SNMP (v1, v2c, and v3) are susceptible.

The severity of the exploit depends on the attacker’s privilege level:

• A low-privileged but authenticated remote attacker can cause the affected device to reload, leading to a DoS condition. This requires access to an SNMPv2c read-only community string or valid SNMPv3 user credentials.
• A high-privileged attacker with administrative or privilege 15 credentials can execute arbitrary code as the root user on devices running IOS XE, effectively gaining full control of the system.

Active Exploitation and Affected Devices

Cisco’s Product Security Incident Response Team (PSIRT) has confirmed successful exploitation of this vulnerability in the wild.

According to the advisory, the attackers leveraged the flaw after first compromising local administrator credentials, demonstrating a chained attack methodology.

This highlights the critical need for strong credential management alongside patching.

The vulnerability impacts a broad range of Cisco devices running vulnerable releases of IOS and IOS XE software where SNMP is enabled. Specific products mentioned include the Meraki MS390 and Cisco Catalyst 9300 Series Switches.

Product	Affected Versions	Fixed Release
Cisco IOS & IOS XE Software	All releases with SNMP enabled prior to the first fixed software release are considered vulnerable.	Customers should use the Cisco Software Checker to determine the appropriate patched release for their specific software train.
Meraki MS390 Switches	Meraki CS 17 and earlier.	The vulnerability is addressed in Cisco IOS XE Software Release 17.15.4a.
Cisco Catalyst 9300 Series Switches	Meraki CS 17 and earlier.	The vulnerability is addressed in Cisco IOS XE Software Release 17.15.4a.

Any device with SNMP enabled is considered vulnerable unless specific configurations are in place to block the malicious traffic. Administrators can use show running-config commands to determine if SNMP is active on their systems.

Cisco has released software updates to fix this vulnerability and strongly recommends that all customers upgrade to a patched software release to fully remediate the issue. The advisory, identified as cisco-sa-snmp-x4LPhte, clarifies that there are no workarounds available.

For organizations that cannot immediately apply the updates, Cisco has provided a mitigation technique. Administrators can configure an SNMP view to exclude the affected object IDs (OIDs), preventing the vulnerable code path from being triggered.

However, Cisco cautions that this mitigation may disrupt network management functionalities, such as device discovery and hardware inventory monitoring. As a general security measure, Cisco also advises restricting SNMP access to only trusted users.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.