Critical Cisco SNMP Vulnerability in iOS and iOS XE Software Could Allow Remote Code Execution
Published
- Emergency directive: CISA has issued an Emergency Directive, mandating federal agencies to mitigate vulnerabilities in Cisco devices.
- Critical vulnerabilities: Cisco addresses a flaw in the SNMP subsystem of Cisco IOS and IOS XE software that could lead to remote code execution.
- Mandatory actions: Federal agencies are required to identify all affected Cisco devices and submit memory files to CISA for forensic analysis by September 26.
CISA warned of significant network security risks posed by vulnerabilities in widely used Cisco products, and the company has published an advisory. It compels federal agencies to immediately identify and mitigate potential compromises related to flaws in Cisco Adaptive Security Appliances (ASA), Firepower devices, and software running on various hardware.
Details of the CISA Directive and Cisco Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 25-03 directive on Cisco devices specifically targets several vulnerabilities, adding remote code execution (RCE) flaw CVE-2025-20333 and privilege escalation flaw CVE-2025-20362 to its Known Exploited Vulnerabilities (KEV) Catalog.
Cisco warns on CVE-2025-20352, a critical Cisco SNMP vulnerability affecting all versions of the Simple Network Management Protocol (SNMP) subsystem in Cisco iOS and iOS XE Software.
This flaw could allow a low-privileged, remote attacker to cause a denial-of-service (DoS) condition. More critically, a highly privileged attacker could exploit the stack overflow condition to execute arbitrary code with root privileges.
Cisco has confirmed that this vulnerability has been exploited in the wild after an attacker first compromised local administrator credentials. In response, CISA has mandated that all federal civilian executive branch agencies identify affected devices, collect memory files, and transmit them to CISA for forensic analysis by 11:59 p.m. EST on September 26.
Mitigation and Recommendations
As part of its federal cybersecurity measures, CISA has provided supplemental guidance and an eviction strategies tool to help agencies contain and remove threats. While Cisco has released software updates to address the vulnerabilities, no workarounds are available.
A mitigation is possible by disabling specific Object IDs (OIDs) within the SNMP configuration, though this may impact device management functions. Although the directive is mandatory for federal agencies, CISA strongly urges all public and private sector organizations to review the advisory and apply necessary patches to safeguard their networks from these active threats.
“Cisco’s router flaw demonstrates how weak validation allows attackers to slip in crafted payloads. The same is true for mobile apps,” said Krishna Vishnubhotla, VP, Product Strategy at Zimperium.
Jason Soroko, Senior Fellow at Sectigo, also recommends that security teams triage exposure now. Organizations should inventory IOS and IOS XE systems with SNMP enabled, prioritize patching internet-facing nodes, and disable SNMP if unnecessary, Soroko advised, also stressing restricted access and enforcing secure SNMPv3.
“The saving grace is that the severity of exploitation depends on the threat actor's privilege levels,” said Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit. “Threat actors with high privileges, possessing both SNMP credentials and administrative (privilege level 15) credentials, can achieve remote code execution as a root user, gaining complete system control.”
Dani recommends organizations to:
- Identify all SNMP-enabled Cisco IOS and IOS XE devices
- Upgrade to Cisco IOS XE Software Release 17.15.4a or later fixed versions as specified in Cisco's advisory
- Restrict SNMP access only to trusted users
- Isolate management traffic and restrict SNMP access through network-level controls
- Disable unnecessary SNMP OIDs and implement view-based access control
Threats posed by Cisco’s vulnerabilities were underscored by Satnam Narang, Sr. Staff Research Engineer at Tenable, who noted that two of the flaws, CVE-2025-20333 and CVE-2025-20362, were already exploited in the wild by UAT4356, also known as Storm-1849.
He added that chaining the two could give attackers full control over affected devices, a technique previously linked to the ArcaneDoor campaign that targeted Cisco hardware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular