CVE-2025-20352 Vulnerability: A Critical Zero-Day in Cisco IOS and IOS XE Software Under Active Exploitation
Following this summer’s disclosure of two critical RCE vulnerabilities in Cisco ISE and SE-PIC, tracked as CVE-2025-20281 and CVE-2025-20282, a new Cisco security flaw has emerged in the cyber threat landscape. The vendor has recently issued security updates to patch a critical zero-day vulnerability in IOS and IOS XE software, which is actively exploited in the wild and may enable remote attackers to execute arbitrary code or cause denial-of-service (DoS) attacks under certain scenarios.
Exploitation of zero-day vulnerabilities is rising, while the timeframe to patch them is shrinking, making prompt updates essential. The 2025 DBIR reports a 34% increase in breaches that began with attackers weaponizing vulnerabilities compared to the previous year, highlighting the need for stronger proactive defenses to reduce exploitation risks. Mandiant’s M-Trends 2025 report strongly supports this trend, showing that for the fifth year in a row, exploits remain the top initial attack vector, accounting for 33% of all investigated breaches. Zero-day vulnerabilities have shifted from being a niche espionage tool to a mainstream method for compromising corporate networks.
A new actively exploited zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE devices, which could trigger RCE and DoS attacks, poses severe risks to potentially affected organizations. Register for SOC Prime Platform to equip your team with top cybersecurity expertise and AI for enterprise-ready security protection. SOC Prime Platform offers a curated detection stack to help organizations timely spot and proactively thwart vulnerability exploitation attempts. Click Explore Detections to reach dedicated Sigma rules filtered by the custom “CVE” tag to help your security team minimize the risks of CVE exploitation before it’s too late.
The above-mentioned detection content for vulnerability exploit detection is aligned with MITRE ATT&CK® and enriched with AI-native threat intelligence to deliver a comprehensive cyber threat context. Sigma rules can be converted into diverse SIEM, EDR, and Data Lake formats in an automated fashion to accelerate your detection engineering workflow.
In addition, by leveraging Uncoder AI, security engineers can perform multiple detection engineering tasks end-to-end, such as converting raw threat intel from reports and CTI feeds into performance-optimized IOC queries, Attack Flow visualization, AI-backed query optimization, and cross-platform detection content translation.
CVE-2025-20352 Analysis
On September 24, 2025, Cisco released security updates to fix a critical zero-day vulnerability in IOS and IOS XE Software that is being actively exploited in the wild. The flaw, tracked as CVE-2025-20352, with a CVSS score of 7.7, stems from a stack-based buffer overflow in the SNMP subsystem, affecting all devices with SNMP enabled, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 or earlier. Still, the vendor states that IOS XR and NX-OS systems are not impacted. An authenticated remote attacker can exploit the issue by sending crafted SNMP packets over IPv4 or IPv6. Cisco has stated that exploitation requires certain conditions to take place. For a DoS attack, adversaries need an SNMPv2c (or older) read-only community string or valid SNMPv3 credentials, while for attacks involving RCE, they require an SNMPv1/v2c read-only community string or valid SNMPv3 credentials plus administrative credentials on the device.
Cisco confirmed exploitation in the wild after stolen local administrator credentials were used. The vulnerability affects all SNMP versions, and devices that have not excluded the affected object IDs are considered vulnerable.
Although no workarounds are currently available, potential CVE-2025-20352 mitigation measures include restricting SNMP access to trusted users and monitoring via the show snmp host command. Administrators can also disable affected object IDs, though this may impact SNMP-based device management. Cisco strongly advises upgrading to IOS XE Release 17.15.4a or later to fully remediate the issue and prevent further exposure.
As critical zero-day flaws in widely used software continue to rise and are increasingly exploited in the wild, rapid response from defenders has become absolutely crucial. Rely on SOC Prime’s complete product suite, backed by AI, automation, and real-time threat intel, to stay ahead of the most pressing threats.
