Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-20352: Zero-Day in Cisco IOS & IOS XE SNMP Exploited, Allows DoS and Root RCE
Sep 25, 2025
6 Mins Read
Oct 20, 2025
Moon

CVE-2025-20352: Zero-Day in Cisco IOS & IOS XE SNMP Exploited, Allows DoS and Root RCE

[Update] Attackers Exploit CVE-2025-20352 to Deploy Rootkits in Operation Zero Disco 

[Update] CVE-2025-20352 Added to CISA’s KEV Catalog

Cisco has published several security advisories on September 24, detailing 17 new vulnerabilities across IOS, IOS XE, and other software. While not all of them pose the same level of risk, one particular flaw, tracked as CVE-2025-20352, is already being exploited in the wild, making it a critical focus for network administrators. Let’s break down what’s happening, starting with the most severe case and then covering the broader update.

What is CVE-2025-20352?

The centerpiece of this update is CVE-2025-20352, a high-severity flaw (CVSS 7.7) affecting the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE Software.

This vulnerability stems from a stack overflow condition. Depending on the attacker’s level of access:

  • With low privileges (e.g., SNMPv2c read-only access), an attacker could force an affected device to reload, causing a denial of service (DoS).
  • With administrative or privilege 15 access, an attacker could go further, achieving Remote Code Execution (RCE) as root, which effectively hands them full control of the system.

Details of CVE-2025-20352 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-20352 (SOCRadar Vulnerability Intelligence)

Which Cisco Devices Are Affected by CVE-2025-20352?

  • Cisco IOS and IOS XE devices running vulnerable releases.
  • Meraki MS390 and Catalyst 9300 Series switches using Meraki CS 17 or earlier.
  • Other Cisco platforms are not impacted (e.g., IOS XR and NX-OS are unaffected).

Cisco Reports Exploitation of SNMP Zero-Day CVE-2025-20352

Cisco has confirmed that this zero-day is under active exploitation. Attackers have been seen leveraging it after gaining administrative credentials.

How Does the Exploit Work?

The exploit works by sending specially crafted SNMP packets over IPv4 or IPv6. Because this flaw affects all SNMP versions, any device with SNMP enabled should be considered at risk unless patched or mitigated.

CVE-2025-20352 Added to CISA’s KEV Catalog

CISA has added CVE-2025-20352 in the SNMP subsystem of Cisco IOS and IOS XE to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply mitigations or discontinue use of affected systems by October 20, 2025.

The flaw can lead to DoS or RCE, with the most severe scenario allowing attackers to gain root privileges and full system control. While exploitation in ransomware campaigns has not yet been confirmed, the potential impact makes timely remediation critical.

Attackers Exploit CVE-2025-20352 to Deploy Rootkits in Operation Zero Disco

Researchers have uncovered an active campaign, dubbed Operation Zero Disco, exploiting the Cisco IOS and IOS XE vulnerability CVE-2025-20352. The attackers deployed rootkits on unprotected Linux systems through compromised Cisco devices.

The exploit targets the SNMP flaw to gain Remote Code Execution (RCE) and install malware capable of disabling logs, bypassing authentication, and moving laterally across VLANs. The researchers’ analysis also revealed attempts to exploit the older CVE-2017-3881 flaw in the same systems.

Cisco has acknowledged that CVE-2025-20352 was exploited as a zero-day, and defenders are urged to verify device integrity and apply all available patches.

Which Other High-Severity Vulnerabilities Were Disclosed?

While CVE-2025-20352 is drawing the most attention, the latest advisories also reveal several additional high-severity issues across Cisco software:

  • CVE-2025-20334 (CVSS 8.8): HTTP API Command Injection in IOS XE could allow attackers to run arbitrary commands.
  • CVE-2025-20160 (CVSS 8.1): Authentication bypass in TACACS+ for IOS and IOS XE.
  • CVE-2025-20315 (CVSS 8.6): Network-Based Application Recognition (NBAR) DoS flaw.
  • CVE-2025-20312 (CVSS 7.7): SNMP DoS issue in IOS XE.
  • CVE-2025-20313 & CVE-2025-20314 (CVSS 6.7): Secure Boot bypass problems in IOS XE.
  • CVE-2025-20327 (CVSS 7.7): DoS in Industrial Ethernet Switch Device Manager.
  • CVE-2025-20311 (CVSS 7.4): DoS in Catalyst 9000 Series switches.

Each of these flaws, if left unpatched, could lead to network downtime, configuration tampering, or unauthorized access.

In addition to the nine high-severity bugs, Cisco disclosed eight medium-severity vulnerabilities. These span issues like reflected cross-site scripting (CVE-2025-20240), CLI injection flaws (CVE-2025-20338), and access control bypasses affecting wireless and switching platforms.

While not as pressing as the high-severity group, they still represent potential footholds for attackers, particularly when combined with privilege escalation or lateral movement strategies.

How to Fix CVE-2025-20352? Remediation & Mitigation Steps

Cisco has released software updates to address these vulnerabilities. Upgrading to the fixed versions is the primary defense. For detailed instructions and to check whether your environment is affected, Cisco provides the Cisco Software Checker.

Additionally, for organizations that cannot patch immediately, Cisco suggests the following mitigation steps for CVE-2025-20352:

  • Restrict SNMP access to trusted users and networks only.
  • Disable or exclude vulnerable Object IDs (OIDs) using the snmp-server view configuration.
  • Closely monitor devices with show snmp host to detect unexpected connections.

Keep in mind that these mitigations may reduce SNMP functionality, so testing before deployment is critical. You can find the official advisory for this zero-day vulnerability here.

The September 24, 2025 advisory bundle includes the full details of all recent Cisco vulnerabilities. You can explore the complete set of updates on Cisco’s official portal: Cisco Security Advisories.

Elevate Your Vulnerability Management with SOCRadar

Zero-day exploits like CVE-2025-20352 show how fast adversaries move once a weakness is exposed. In such cases, security teams need timely intelligence and clear visibility into their environment to make informed decisions.

SOCRadar’s Cyber Threat Intelligence supports this effort by helping you:

Easily track the latest CVEs and exploits with SOCRadar

Easily track the latest CVEs and exploits with SOCRadar

By consolidating these capabilities, SOCRadar enables organizations to strengthen vulnerability management programs and reduce the risk of exploitation.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Claude Fable 5?
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
Jun 09, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.