Cisco IOS: SNMP Denial Of Service and Remote Code Execution Vulnerability

We are reaching out to let you know that Cisco IOS is vulnerable and can be exploited via Remote Code Execution by attacker to gain unauthorized access to critical systems.

Attention constituent:

A vulnerability has been discovered in the SNMP (Simple Network Management Protocol) subsystem of Cisco IOS and IOS XE software. An attacker who has certain SNMP credentials can exploit this by sending a specially crafted SNMP packet. Depending on the level of credentials and privileges they hold, the attacker may cause a denial of service (device reload) or, with higher privileges, execute arbitrary code as the root user effectively gaining full control of the device.

Advisory Overview


Advisory Type Technical
Author Leon Strachan
Date 21 October 2025
What’s Happening


Affected Systems
  • Cisco devices running vulnerable versions of IOS or IOS XE with the SNMP subsystem enabled
  • Configurations where SNMP community strings (SNMPv1/v2c) or SNMPv3 credentials are in use and where SNMP access is not properly restricted.Especially relevant for enterprise switches, routers, and management devices (e.g., Catalyst 9300, Meraki MS390).
What this Means A vulnerability in Cisco IOS and IOS XE’s SNMP subsystem allows a remote, authenticated attacker to either cause a denial of service (DoS) or, with high privileges, execute code as root. Exploitation requires valid SNMP credentials (SNMPv1/v2c community string or SNMPv3 user) and, for code execution, administrative privileges. The issue stems from a stack overflow in the SNMP subsystem and can be triggered by sending a specially crafted SNMP packet over IPv4 or IPv6, potentially leading to system reloads or full device compromise.
What to Look For


Signs You May Be at Risk You may be at risk from CVE-2025-20352 if you’re using Cisco IOS or IOS XE devices with SNMP enabled, especially if they’re running outdated software or accessible from the internet. Attackers could exploit this flaw through SNMP (port 161) to gain elevated privileges or execute unauthorized actions. To stay protected, apply Cisco’s latest security updates, disable SNMP if unnecessary, or limit SNMP access to trusted internal networks using SNMPv3.
Signs You May Be Affected You may be affected if you notice unusual SNMP activity or unexpected system behavior on Cisco devices. Signs include repeated SNMP authentication failures, configuration changes you didn’t make, new or unknown admin accounts, unexplained reboots, or CPU spikes. Check system logs for suspicious SNMP traffic (especially on UDP port 161) or connections from unknown IPs. If any of these occur, isolate the affected device, review configurations, change SNMP credentials, and apply Cisco’s latest security updates immediately.
What to Do


Prevention
  • Immediately update affected Cisco devices to the patched firmware versions provided by Cisco.
  • Ensure SNMP access is restricted only to trusted network segments and authorized management hosts.
  • Use SNMPv3 with strong authentication and encryption, avoid use of default or publicly known community strings for SNMPv1/v2c.
  • Disable SNMP on devices where it is not required or restrict the OIDs (object identifiers) exposed.
Mitigation
  • Monitor device logs for unusual SNMP activity, unexpected reboots, or unknown root-level changes.
  • Immediately isolate devices suspected of compromise from the network.
  • Change all SNMP community strings/credentials and review device configurations for unauthorized changes.
  • Conduct integrity checks of device firmware and configurations to confirm there has been no latent modification.
Official Information


Should you require additional information or further support, submit a report on our website or contact us at [email protected].

Best,

Leon Strachan
Security Operations Centre
National Computer Incident Response Team of The Bahamas

 

Scroll to Top
Skip to content