{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-035.pdf"
    },
    "title": "High Vulnerability in Cisco IOS and IOS XE Software",
    "serial_number": "2025-035",
    "publish_date": "26-09-2025 07:03:31",
    "description": "On September 24, 2025, Cisco released a security advisory regarding a high severity vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software. The vulnerability is being exploited in the wild.<br>\nIt is recommended updating as soon as possible and conduct a compromise assessment on devices that are exposing SNMP on the Internet. It is also recommended not allowing access to SNMP over untrusted network (i.e. on the Internet).<br>\n",
    "url_title": "2025-035",
    "content_markdown": "---    \ntitle: 'High Vulnerability in\u00a0Cisco\u00a0IOS\u00a0and\u00a0IOS\u00a0XE\u00a0Software'\nnumber: '2025-035'\nversion: '1.0'\noriginal_date: '2025-09-24'\ndate: '2025-09-26'\n---\n\n_History:_\n\n* _26/09/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn September 24, 2025, Cisco released a security advisory regarding a high severity vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software. The vulnerability **is being exploited in the wild** [1].\n\nIt is recommended updating as soon as possible and conduct a compromise assessment on devices that are exposing SNMP on the Internet. It is also recommended not allowing access to SNMP over untrusted network (i.e. on the Internet).\n\n# Technical Details\n\nThe vulnerability **CVE-2025-20352**, with a CVSS score of 7.7, lies in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software and is due to a stack overflow condition in the SNMP subsystem. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks [1].\n\nExploitation of the vulnerability could allow the following:\n\n- An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials.\n- An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device.\n\nAn attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. \n\n# Affected Products\n\nThis vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software. Customers should use the [Cisco Software Checker](https://sec.cloudapps.cisco.com/security/center/softwarechecker.x) to determine the appropriate patched release for their specific software train [1].\n\nMeraki MS390 and Cisco Catalyst 9300 Series Switches that are running Meraki CS 17 and earlier are also affected. This is fixed in Cisco IOS XE Software Release 17.15.4a [1].\n\n# Recommendations\n\nIt is recommended updating as soon as possible and conduct a compromise assessment on devices that are exposing SNMP on the Internet. It is also recommended not allowing access to SNMP over untrusted network (i.e. on the Internet) [1].\n\n# References\n\n[1] <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte#fs>",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/09/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On September 24, 2025, Cisco released a security advisory regarding a high severity vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software. The vulnerability <strong>is being exploited in the wild</strong> [1].</p><p>It is recommended updating as soon as possible and conduct a compromise assessment on devices that are exposing SNMP on the Internet. It is also recommended not allowing access to SNMP over untrusted network (i.e. on the Internet).</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-20352</strong>, with a CVSS score of 7.7, lies in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software and is due to a stack overflow condition in the SNMP subsystem. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks [1].</p><p>Exploitation of the vulnerability could allow the following:</p><ul><li>An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials.</li><li>An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device.</li></ul><p>An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. </p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software. Customers should use the <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/softwarechecker.x\">Cisco Software Checker</a> to determine the appropriate patched release for their specific software train [1].</p><p>Meraki MS390 and Cisco Catalyst 9300 Series Switches that are running Meraki CS 17 and earlier are also affected. This is fixed in Cisco IOS XE Software Release 17.15.4a [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating as soon as possible and conduct a compromise assessment on devices that are exposing SNMP on the Internet. It is also recommended not allowing access to SNMP over untrusted network (i.e. on the Internet) [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte#fs\">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte#fs</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}