A critical vulnerability in Cisco IOS and IOS XE software, tracked as CVE-2025-20352, is being actively exploited in the wild, allowing attackers to plant rootkits and cause denial of service (DoS) conditions on network devices. The flaw, which resides in the Simple Network Management Protocol (SNMP) subsystem, was disclosed on September 24, 2025, and quickly added to the Known Exploited Vulnerabilities (KEV) catalog on September 29, 2025, due to its active exploitation.
The vulnerability, with a CVSS score of 7.7, is classified as high severity. It allows an authenticated, remote attacker with low privileges to exploit the SNMP subsystem, potentially leading to a DoS condition. More alarmingly, attackers have leveraged this flaw to install rootkits on network switches, significantly compromising the integrity and security of affected systems.
The exploitation of CVE-2025-20352 was swift, with attackers taking advantage of the vulnerability within just 4.3 days of its disclosure. This rapid exploitation underscores the critical nature of the flaw and the urgency for organizations to apply patches. Cisco has released fixes to address the vulnerability, but the presence of a proof-of-concept (PoC) exploit in the public domain increases the risk of further attacks.
The exploitation of this vulnerability highlights the ongoing challenges in securing network infrastructure against sophisticated threats. The ability to plant rootkits via this flaw not only disrupts normal operations but also provides attackers with persistent access to compromised devices, potentially leading to further exploitation and data exfiltration.
Organizations using Cisco IOS and IOS XE software are urged to prioritize patching to mitigate the risk posed by this vulnerability. The SSVC (Stakeholder-Specific Vulnerability Categorization) rating of 'attend' indicates that immediate attention is required to address the threat. Given the active exploitation and the potential impact on network operations, security teams should verify the integrity of their systems and monitor for any signs of compromise.
In addition to applying patches, organizations should review their SNMP configurations and consider implementing additional security measures, such as network segmentation and enhanced monitoring, to detect and respond to suspicious activities promptly. The exploitation of CVE-2025-20352 serves as a stark reminder of the importance of timely vulnerability management and the need for robust security practices to protect critical network infrastructure.
CSURFACE