Approximately 2 Million Cisco Devices Vulnerable to Exploited Zero-Day Threat

As many as two million devices manufactured by Cisco are currently at risk due to an actively exploited zero-day vulnerability that allows for remote system crashes or code execution on affected devices. Cisco has identified this vulnerability, designated as CVE-2025-20352, which is present across all supported iterations of Cisco IOS and Cisco IOS XE, the operating systems that power a broad range of networking equipment produced by the company.

This vulnerability can be exploited by users with low-level permissions to initiate denial-of-service (DoS) attacks, while users with higher privileges can execute code with extensive root access. This particular flaw has been assigned a severity rating of 7.7 on a scale of 10, indicating a significant risk to affected systems.

According to Cisco's advisory, the company became aware of active exploitation of this vulnerability following the compromise of local Administrator credentials. Cisco strongly advises all customers to upgrade to a patched software version to mitigate the risks associated with this vulnerability.

The root cause of the vulnerability is a stack overflow error in the component of IOS responsible for handling Simple Network Management Protocol (SNMP). This protocol is utilized by routers and other devices to collect and manage information within a network. The exploitation occurs through the transmission of specially crafted SNMP packets.

To execute malicious code, an attacker needs access to the read-only community string, a form of authentication specific to SNMP for managing devices. Often, these community strings are included with devices upon shipping. Even when altered by an administrator, such strings are frequently known within the organization. An attacker would also require privileges on the vulnerable systems to gain remote code execution (RCE) capabilities that operate with root permissions.

Industry experts have noted that achieving RCE as root provides greater access than standard administrative privileges, which is generally not permissible on these devices. For a DoS attack, an attacker merely needs the read-only community string or valid credentials for SNMPv3.

Exposing SNMP interfaces to the Internet is generally discouraged, as it increases vulnerability to such attacks. However, research indicates that over two million devices globally are currently configured to allow this exposure. The Shodon search engine has highlighted this concerning trend.

The most effective defense against the exploitation of this vulnerability is to implement the update Cisco has released. For those unable to apply the update immediately, it is recommended to restrict SNMP access to trusted users and monitor Cisco devices using the command line interface.

CVE-2025-20352 is among 14 vulnerabilities that Cisco addressed in its September update, with eight of these vulnerabilities rated between 6.7 and 8.8 in severity.