Cisco on Wednesday announced patches for 14 vulnerabilities in IOS and IOS XE, including a bug that has been exploited in the wild.
The exploited flaw, tracked as CVE-2025-20352 (CVSS score of 7.7), is described as a stack overflow condition in the Simple Network Management Protocol (SNMP) subsystem of IOS and IOS XE that can be exploited by sending crafted SNMP packets to a vulnerable router or switch.
Attackers with low privileges, Cisco explains, can exploit the issue to cause a denial-of-service (DoS) condition. High-privileged attackers could exploit it to execute arbitrary code remotely as the root user.
“To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device,” Cisco notes in its advisory.
All devices running vulnerable IOS and IOS XE releases are affected, as well as Meraki MS390 and Catalyst 9300 series switches running Meraki CS 17 and earlier releases.
Cisco urges users to update their devices to a patched release as soon as possible, as the security defect has been exploited in the wild by attackers using compromised administrator credentials.
The fresh round of IOS and IOS XE patches, announced as part of Cisco’s semiannual bundled publication, resolves eight other high-severity vulnerabilities that could lead to DoS conditions, code execution during boot, command execution with root privileges, authentication bypass, and data leaks.
The remaining five bugs, all medium-severity, could lead to DoS conditions, XSS attacks, command execution with root privileges, access control list (ACL) bypass, or access to the device’s public-key infrastructure (PKI) server.
Cisco says proof-of-concept (PoC) exploit code exists for two of these issues, tracked as CVE-2025-20240 and CVE-2025-20149, but points out that it is not aware of their exploitation.
Three other medium-severity bugs patched this week affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software and could lead to ACL bypass, IPv6 gateway tampering, and Device Analytics data tampering.
Cisco says it is not aware of any of these flaws being exploited in the wild. Additional information can be found on the company’s security advisories page.
Related: GeoServer Flaw Exploited in US Federal Agency Hack
Related: SonicWall Updates SMA 100 Appliances to Remove Overstep Malware
Related: SolarWinds Makes Third Attempt at Patching Exploited Vulnerability
Related: Fortra Patches Critical GoAnywhere MFT Vulnerability
