CVE-2025-20352
Published: 24 September 2025
Summary
CVE-2025-20352 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Cisco Ios. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A stack overflow vulnerability exists in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software, affecting all SNMP versions. The flaw resides in how the software processes SNMP packets and can be triggered over IPv4 or IPv6.
An authenticated remote attacker possessing the SNMPv2c or earlier read-only community string or valid SNMPv3 credentials can send a crafted packet to trigger a denial-of-service reload. On IOS XE devices, an attacker who additionally holds administrative or privilege-15 credentials can leverage the same vector to execute arbitrary code as root and gain full control of the device.
The vulnerability is tracked in the CISA Known Exploited Vulnerabilities catalog, and Cisco has published an advisory at sec.cloudapps.cisco.com. Its EPSS score rose from a low baseline to a peak of 0.0420, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31023
Vulnerability details
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an…
more
affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.
- CWE(s)
- KEV Date Added
- 29 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in SNMP service allows remote authenticated exploitation for RCE (or DoS) on network devices, directly mapping to public-facing app and remote service exploitation techniques.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack-based buffer overflow vulnerability in the SNMP subsystem by requiring timely application of vendor-provided patches.
Requires validation of SNMP packet inputs to prevent crafted packets from triggering the buffer overflow condition.
Implements memory protections such as stack guards to mitigate successful exploitation of the stack overflow for code execution.