Vulnerability Description
CVE‑2025‑20352 is a critical vulnerability in the SNMP subsystem of Cisco IOS and IOS XE Software. It involves a stack overflow bug that can be exploited by a remote, authenticated user to either crash the device (causing a denial of service) or, in some cases, execute code as root. The impact depends on the attacker’s level of access. All versions of SNMP (v1, v2c, and v3) are affected.
| Field | Details |
| CVE-ID | CVE‑2025‑20352 — CVSS 7.7 (high) — assigned by Cisco |
| Vulnerability Description | Cisco IOS and IOS XE Software contain a vulnerability in the SNMP subsystem due to improper bounds checking, leading to a stack overflow. A low-privileged authenticated attacker with SNMP access can cause a DoS condition by sending crafted SNMP packets. A high-privileged attacker can achieve RCE as the root user. The vulnerability affects SNMPv1, v2c, and v3 over both IPv4 and IPv6. |
| Date of Disclosure | September 24, 2025 |
| Affected Assets | Cisco IOS and IOS XE Software, including Cisco Catalyst 9300 Series Switches and Meraki MS390 switches (running Meraki CS 17 or earlier). |
| Vulnerable Software Versions | Cisco IOS XE prior to 17.15.4a and various IOS builds (refer to Cisco Software Checker for details). |
| PoC Available? | As of writing, no public proof-of-concept exploit has been released. |
| Exploitation Status | Cisco PSIRT has confirmed in-the-wild exploitation following compromise of SNMP and admin credentials. |
| Patch Status | Cisco has released fixed software and recommends upgrading immediately. There are no workarounds, but administrators can mitigate the issue by applying SNMP views to restrict access to vulnerable OIDs. |
Censys Perspective
Censys has observed 192,038 internet-accessible Cisco IOS or IOS XE services exposing an SNMP service. We recommend immediately identifying devices with SNMP running and verifying they are patched or mitigated. Due to the critical nature and actively exploited status of this vulnerability, it should be treated with urgency.
The queries below can help identify any affected Cisco devices exposing SNMP, but they are not necessarily vulnerable.
host.services: (software: (vendor: “Cisco” and product: {“IOS”, “IOS XE”}) or hardware: (vendor: “Cisco” and product: {“IOS”, “IOS XE”}) or operating_systems: (vendor:”Cisco” and product: {“IOS”, “IOS XE”})) and host.services.protocol=”SNMP”
host.services.software: (vendor=”Cisco” and product={“IOS”, “IOS XE”}) and host.services.service_name=”SNMP”
services.software: (vendor: “Cisco” and product: {“IOS”, “IOS XE”}) and services.service_name=”SNMP”