Cyber Resilience

CVE-2025-20352

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 September 2025

Published
24 September 2025
Modified
28 October 2025
KEV Added
29 September 2025
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0324 87.4th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20352 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Cisco Ios. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A stack overflow vulnerability exists in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software, affecting all SNMP versions. The flaw resides in how the software processes SNMP packets and can be triggered over IPv4 or IPv6.

An authenticated remote attacker possessing the SNMPv2c or earlier read-only community string or valid SNMPv3 credentials can send a crafted packet to trigger a denial-of-service reload. On IOS XE devices, an attacker who additionally holds administrative or privilege-15 credentials can leverage the same vector to execute arbitrary code as root and gain full control of the device.

The vulnerability is tracked in the CISA Known Exploited Vulnerabilities catalog, and Cisco has published an advisory at sec.cloudapps.cisco.com. Its EPSS score rose from a low baseline to a peak of 0.0420, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an…

more

affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.

CWE(s)
KEV Date Added
29 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Buffer overflow in SNMP service allows remote authenticated exploitation for RCE (or DoS) on network devices, directly mapping to public-facing app and remote service exploitation techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20337Same vendor: Ciscoboth on KEV
CVE-2026-20127Same vendor: Ciscoboth on KEV
CVE-2026-20131Same vendor: Ciscoboth on KEV
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2026-20128Same vendor: Ciscoboth on KEV
CVE-2025-20175Same product: Cisco Ios
CVE-2025-20171Same product: Cisco Ios
CVE-2026-20045Same vendor: Ciscoboth on KEV
CVE-2025-20174Same product: Cisco Ios
CVE-2025-20169Same product: Cisco Ios

Affected Assets

cisco
ios xe sd-wan
16.10.1, 16.10.2, 16.10.3, 16.10.3a, 16.10.3b
cisco
ios xe
16.10.1, 16.10.1a, 16.10.1b, 16.10.1c, 16.10.1d
cisco
ios
12.2\(33\)sxi, 12.2\(33\)sxi1, 12.2\(33\)sxi10, 12.2\(33\)sxi11, 12.2\(33\)sxi12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack-based buffer overflow vulnerability in the SNMP subsystem by requiring timely application of vendor-provided patches.

prevent

Requires validation of SNMP packet inputs to prevent crafted packets from triggering the buffer overflow condition.

prevent

Implements memory protections such as stack guards to mitigate successful exploitation of the stack overflow for code execution.

References