As Many as 2 Million Cisco Devices Affected by Actively Exploited Zero-Day
The alarming reality of an actively exploited zero-day vulnerability affecting up to 2 million Cisco devices has come to light, leaving many in the cybersecurity community on high alert. This critical issue can remotely crash or execute code on vulnerable systems, making it a pressing concern for organizations and individuals alike.
The Vulnerability: CVE-2025-20352
The vulnerability in question is tracked as CVE-2025-20352 and affects all supported versions of Cisco IOS and Cisco IOS XE. These operating systems power a wide range of the company’s networking devices, making the potential impact staggering. Cisco has confirmed that the issue can be exploited by low-privileged users to create a denial-of-service attack or by higher-privileged users to execute code with unfettered root privileges.
Exposing SNMP to the Internet
One of the primary factors contributing to this vulnerability is the exposure of Simple Network Management Protocol (SNMP) interfaces to the internet. This practice is widely considered to be a significant risk, as it allows attackers to access and manipulate network devices. The use of read-only community strings or valid SNMPv3 user credentials can provide an attacker with the necessary privileges to execute malicious code.
The Risks Associated with RCE
Remote Code Execution (RCE) capabilities that run as root are a major concern in this scenario. Independent researcher Kevin Beaumont explained, "If you get RCE as root, you’re getting higher than admin privileges. You’re not supposed to be able to get root on those devices." This level of access can lead to catastrophic consequences, including the theft or destruction of sensitive data.
The Role of Read-Only Community Strings
Read-only community strings are often widely known within an organization and may even ship with devices. In some cases, administrators may modify these strings, but they can still be vulnerable to exploitation. Attackers need only possess a read-only community string or valid SNMPv3 user credentials to perform a denial-of-service attack.
The Significance of Shodan Search Engine Results
Recent Shodan search engine results indicate that over 2 million devices worldwide have their SNMP interfaces exposed to the internet. This alarming figure highlights the widespread nature of this vulnerability and underscores the need for immediate action to mitigate the risk.
Mitigation Strategies and Workarounds
For those unable to immediately install an update, Cisco recommends allowing only trusted users to have SNMP access and monitoring devices using the snmp command in the terminal window. However, there are no workarounds available, and organizations must prioritize upgrading their systems as soon as possible to prevent exploitation.
The September Update Release
CVE-2025-20352 is one of 14 vulnerabilities addressed in Cisco’s recent September update release. Eight of these vulnerabilities carried severity ratings ranging from 6.7 to 8.8, emphasizing the importance of regular software updates and patches to ensure network security.
Conclusion
The actively exploited zero-day vulnerability affecting up to 2 million Cisco devices serves as a stark reminder of the ever-present threats in the world of cybersecurity. Organizations must take immediate action to mitigate this risk by upgrading their systems and ensuring that SNMP interfaces are not exposed to the internet. By prioritizing network security and staying informed about emerging threats, we can work together to prevent catastrophic consequences and protect our digital infrastructure.