Cisco disclosed CVE-2025-20352, a stack overflow in the SNMP subsystem of IOS and IOS XE, now confirmed as actively exploited in the wild. Attackers can crash devices with valid SNMP read-only credentials (DoS) or escalate to remote code execution as root with higher-privileged access.
Shodan scans reveal more than 2 million Cisco devices with exposed SNMP interfaces, highlighting the massive attack surface.
How Exploitation Works
The flaw is triggered through crafted SNMP packets. Exploitation requires valid credentials, which are often easy to obtain due to weak or default community strings that remain common in enterprise environments.
- With read-only SNMP strings or basic SNMPv3 accounts, attackers can crash devices and cause denial-of-service conditions.
- With administrator-level privileges, they can escalate to remote code execution with root control.
Cisco’s advisory confirms that in-the-wild exploitation has followed cases where administrator credentials were already compromised. This shows the bug is being chained into multi-stage campaigns.
Once root access is obtained, attackers can install persistent implants, intercept or reroute traffic, and use compromised routers as launchpads for deeper access.
What to Do Now
The most effective defense is to patch immediately using Cisco’s fixed software releases. Until then, organizations should restrict SNMP to trusted management networks and block all public exposure.
Hardening is critical: use SNMPv3 with strong encryption, rotate credentials, and eliminate defaults such as “public” or “private.”
For environments where patching must be delayed, Cisco recommends disabling or restricting vulnerable OIDs. Segmentation of management interfaces from user networks reduces exposure further.
Detection Guidance
Exploitation attempts may not always leave obvious signs, but defenders can focus on several high-value indicators:
- Unexpected device crashes, reloads, or sudden configuration changes.
- Abnormal SNMP traffic patterns, such as malformed requests or unusual query spikes.
- Signs of persistence, including tampered firmware or modified IOS images.
Threat hunters should also pivot from IOS and IOS XE processes to check for any unusual activity. Internal SNMP traffic that diverges from baseline, for example, or new sources communicating with core routers, may be an indicator of lateral movement.
Strategic Significance
This zero-day also arrives on the heels of other actively exploited Cisco flaws, including those linked to the ArcaneDoor campaign. Together, they suggest a sustained interest from state-backed actors in undermining the devices that enterprises and governments depend on for connectivity and security.
SNMP’s history of weak defaults and poor deployment practices only compounds the risk. Exposed interfaces combined with credential compromise provide adversaries a direct path to root-level control.
Once attackers own the network fabric, they can silently monitor, manipulate, or disrupt traffic for as long as they remain undetected.
OP Innovate Recommendations
Prioritize patching internet-facing routers and switches immediately, followed by internal devices during the next change window. Audit SNMP exposure and cut off any public interfaces. Add detection hunts to SIEM and EDR to spot anomalies linked to this exploit.
If signs of compromise are suspected, our Incident Response and PTaaS teams can validate patches, scan for exposures, and investigate persistence on Cisco infrastructure.
Stay Safe. Stay Secure.
OP Innovate Research Team
