Two Million Cisco Devices Threatened by Actively Exploited 0-Day Vulnerability

Cisco has warned that a critical zero-day vulnerability (CVE-2025-20352) affecting IOS and IOS XE is being actively exploited. The flaw could allow remote denial-of-service (DoS) attacks or arbitrary code execution on a wide range of the company’s networking devices.

Widespread Exposure

According to Cisco, the vulnerability is present in all supported versions of IOS and IOS XE—the operating systems powering much of the company’s hardware portfolio. The bug can be exploited by low-privileged users to launch DoS attacks or by high-privileged users to execute arbitrary code with root privileges.

“Cisco PSIRT is aware of exploitation of this vulnerability in the wild following the compromise of local administrator credentials,” the company said in its advisory. “Cisco strongly recommends that customers upgrade to a fixed software release to address this vulnerability.”

Cisco has not disclosed further details about real-world exploitation.

Technical Details

The flaw stems from a stack overflow in the IOS component responsible for processing SNMP (Simple Network Management Protocol), which is used by routers and other devices to collect and manage network information. Exploitation requires sending specially crafted SNMP packets over IPv4 or IPv6.

• Remote code execution: requires a read-only community string (SNMP authentication) and elevated privileges, potentially enabling attackers to execute code with root access.
• Denial-of-service: requires only a read-only community string or valid SNMPv3 user credentials, allowing attackers to crash targeted devices.

Security researcher Kevin Beaumont noted that exposing SNMP devices directly to the internet is poor practice, but Shodan search results show more than two million such devices accessible worldwide.

Mitigation Guidance

Cisco has released patches to address CVE-2025-20352. Organizations unable to apply them immediately are advised to:

• Restrict SNMP access to trusted users only
• Monitor Cisco devices with the snmp command in the terminal
• Remove unnecessary internet exposure of SNMP services

Additional Vulnerabilities

Alongside CVE-2025-20352, Cisco patched 13 other flaws, including two with available proof-of-concept exploits:

• CVE-2025-20240 – a reflected XSS vulnerability in IOS XE that could allow an unauthenticated attacker to steal cookies.
• CVE-2025-20149 – a DoS vulnerability allowing local authenticated users to reboot affected devices.

Cisco also urged urgent patching of two actively exploited vulnerabilities in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD):

• CVE-2025-20333 (CVSS 9.9) – input validation flaw in HTTP(S) requests, allowing authenticated VPN users to execute code with root privileges.
• CVE-2025-20362 (CVSS 6.5) – input validation flaw in HTTP(S) requests, enabling unauthenticated attackers to access protected web interface sections.

Cisco confirmed “attempted exploitation” of both but has not identified the attackers or disclosed how widespread the campaigns may be. Security experts believe the flaws could be chained to bypass authentication and execute malicious code.