Cisco has publicly disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-20352, affecting its widely deployed Cisco IOS and IOS XE software platforms. According to Cisco’s Product Security Incident Response Team (PSIRT), the flaw is being actively exploited in the wild, with confirmed attacks leveraging compromised administrator credentials.
Technical Overview of CVE-2025-20352
The vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software. Cisco revealed that the root cause is a stack overflow condition that can be triggered by an attacker sending crafted SNMP packets over either IPv4 or IPv6. Notably, the vulnerability affects all versions of SNMP, including SNMPv1, v2c, and v3.
The issue, cataloged under CVE-2025-20352, can be exploited in two different scenarios depending on the privilege level of the attacker:
| CVE | Affected Product | Impact | CVSS 3.1 Score |
| CVE-2025-20352 | Cisco IOS and IOS XE SNMP subsystem | Denial of Service (DoS) / Remote Code Execution (RCE) | 7.7 (High) |
- Low-privileged attackers, who possess SNMPv2c read-only community strings or valid SNMPv3 credentials, can induce a denial-of-service condition, forcing the affected devices to reload and interrupting network availability.
- High-privileged attackers, in possession of SNMPv1 or v2c community strings and administrative (privilege 15) credentials, can go further and achieve full remote code execution on the device. This level of access would allow execution of arbitrary code as the root user, potentially giving attackers full control over the compromised system.
Affected Devices
Cisco confirmed that the flaw affects a broad range of devices running vulnerable versions of Cisco IOS and IOS XE software. This includes:
- Meraki MS390 switches
- Cisco Catalyst 9300 Series switches running Meraki CS 17 or earlier
The vulnerability remains present on any device with SNMP enabled, unless the device configuration has explicitly excluded the affected Object Identifier (OID).
Detection and Verification
Network administrators can check SNMP configurations using standard CLI commands:
- For SNMPv1 and v2c:
show running-config | include snmp-server communit
- For SNMPv3:
show running-config | include snmp-server group
show snmp use
These commands will indicate whether SNMP is active and provide insight into the access levels available on the device.
Mitigation and Fixes
While no direct workarounds are currently available, Cisco has released software updates that fully address the RCE vulnerability. Temporary mitigations include:
- Limiting SNMP access to trusted users only.
- Disabling affected OIDs using the snmp-server view command.
- Monitoring SNMP activity via show snmp host.
Administrators are warned, however, that modifying SNMP configurations may impact device management operations such as hardware discovery and inventory.
Cisco’s Response and Disclosure
The vulnerability was discovered during the investigation of a Cisco Technical Assistance Center (TAC) support case. Following the confirmation of in-the-wild exploitation, Cisco released Security Advisory ID: cisco-sa-snmp-x4LPhte, marking the issue as “High” severity with a CVSS score of 7.7.
Cisco encourages all customers to use the Cisco Software Checker to determine which versions are affected and apply the fixed software without delay. The recommended fixed release for impacted devices, such as Meraki CS, is IOS XE 17.15.4a.
Products Not Affected
Cisco confirmed that this RCE vulnerability does not impact the following:
- Cisco IOS XR Software
- Cisco NX-OS Software
Cisco PSIRT acknowledged that exploitation began after the compromise of local administrator credentials. No further details were provided regarding the threat actor or the scale of the attacks, but the company emphasized the urgency of applying updates, as the RCE vulnerability poses a critical risk to the network infrastructure.
