CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

First reported
Last updated
4 unique sources, 7 articles

Summary

Hide ▲

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

Timeline

  1. 08.01.2026 12:44 1 articles · 23h ago

    Cisco patches ISE and Snort 3 vulnerabilities

    Cisco has released updates to address a medium-severity security flaw (CVE-2026-20029) in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) with a public proof-of-concept (PoC) exploit. The vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), resides in the licensing feature and could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. Cisco has also shipped fixes for two other medium-severity bugs (CVE-2026-20026 and CVE-2026-20027) affecting Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS XE Software, and Cisco Meraki software. These vulnerabilities could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, impacting availability.

    Show sources
    Open in new tab
  2. 24.09.2025 19:52 7 articles · 3mo ago

    Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

    The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances. Cisco has released updates to address a medium-severity security flaw (CVE-2026-20029) in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) with a public proof-of-concept (PoC) exploit. The vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), resides in the licensing feature and could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. Cisco has also shipped fixes for two other medium-severity bugs (CVE-2026-20026 and CVE-2026-20027) affecting Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS XE Software, and Cisco Meraki software. These vulnerabilities could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, impacting availability.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical FortiCloud SSO Authentication Bypass Vulnerabilities Patched

Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd.

Open in new tab

Google Patches Two Exploited Android Framework Vulnerabilities

Google released December 2025 Android security updates addressing 107 vulnerabilities, including two Framework bugs (CVE-2025-48633, CVE-2025-48572) actively exploited in limited, targeted attacks. The updates also fixed a critical Framework flaw (CVE-2025-48631) enabling remote DoS without additional privileges. Patches are available in two levels (2025-12-01, 2025-12-05) for faster manufacturer adoption. The vulnerabilities affect Android versions 13, 14, 15, and 16, and the patches will address 56 additional vulnerabilities affecting Android components in the kernel or third-party components. Similar flaws in the past were used for targeted exploitation by commercial spyware or nation-state operations targeting a small number of high-interest individuals. The updates address four critical-severity fixes for elevation-of-privilege flaws in the Kernel's Pkvm and UOMMU subcomponents, and two critical fixes for Qualcomm-powered devices (CVE-2025-47319 and CVE-2025-47372). Samsung published its security bulletin, including ported fixes from the Google update and vendor-specific fixes. Devices on Android 10 and later may receive some crucial fixes via Google Play system updates. Play Protect can detect and block documented malware and attack chains, so users of any Android version should keep the component up to date and active.

Open in new tab

Critical Vulnerabilities in Fluent Bit Logging Agent

Critical vulnerabilities in Fluent Bit, a widely used telemetry agent, have been disclosed. These flaws affect log, metric, and trace handling across banking, cloud, and SaaS platforms. The issues include improper input validation, path traversal bugs, and authentication bypasses, allowing attackers to manipulate logs, overwrite files, and execute code. Patches are available in versions v4.1.1 and v4.0.12, but older versions remain at risk. The vulnerabilities could distort observability pipelines, impacting financial services, security products, and SaaS environments. Immediate patching and configuration hardening are recommended. AWS has urged customers to update to the latest version of Fluent Bit for optimal protection. The flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

Open in new tab

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Critical Cisco UCCX RMI Vulnerability Exploitable for Root Command Execution

A critical vulnerability in Cisco Unified Contact Center Express (UCCX) allows unauthenticated attackers to execute commands with root privileges. The flaw, CVE-2025-20354, resides in the Java Remote Method Invocation (RMI) process. Cisco has released patches to address this issue. The UCCX platform is a software solution for managing customer interactions in call centers. The vulnerability enables attackers to upload crafted files and execute arbitrary commands on the underlying operating system. Cisco also patched a critical flaw in the CCX Editor application, which allows unauthenticated attackers to bypass authentication and execute arbitrary scripts with admin permissions. Updates are available for affected versions.

Open in new tab