Cisco SNMP Under Active Attack: Routers Compromised by Malformed Requests
Cisco's Simple Network Management Protocol (SNMP) implementations in IOS and IOS XE are under active attack, with compromised routers pinging external servers after handling malformed requests. The Critical Infrastructure Security Agency (CISA) has identified this behavior weeks after the vulnerability's public disclosure.
The security vulnerability, identified as CVE-2025-20352, is a critical buffer overflow issue in Cisco's SNMP engine. It allows unauthenticated remote attackers to execute arbitrary code by sending an oversized payload in a GetBulk request. The attack leverages a malformed Protocol Data Unit (PDU) that triggers an out-of-bounds write in the SNMP engine's stack.
Cisco discovered and patched the flaw in August 2025, but attackers have since deployed custom payloads to establish a reverse shell back to an attacker-controlled host. The vulnerability affects a wide range of Cisco platforms running IOS XE versions prior to 17.10.
Cisco urges users to apply the available patches immediately to mitigate the risk. Network administrators should ensure their systems are up-to-date and monitor for any unusual network traffic. CISA advises network defenders to be vigilant and report any suspected compromise to the appropriate authorities.
