Cisco IOS and IOS XE Software SNMP stack-based buffer overflow denial-of-service flaw (CVE-2025-20352)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-20352 is a Cisco IOS and IOS XE SNMP stack-based buffer overflow that was exploited in the wild before Cisco’s fix, and later activity showed Operation Zero Disco using it to deploy Linux rootkits on older, unprotected systems. The campaign primarily affected Cisco 9400, 9300, and legacy 3750G series devices, and also included attempts to abuse a modified Telnet flaw based on CVE-2017-3881 for memory access. The attacks enabled remote code execution and persistent unauthorized access through universal passwords and hooks in IOSd memory space.
Cases
Related Happenings
Linux kernel Dirty Frag local root escalation privilege-escalation flaw
Vulnerability
First: 08.05.2026 10:45
Last: 08.05.2026 10:45
Sources 1
About this happening:
**Dirty Frag** is a newly disclosed **Linux kernel** zero-day that can give **local attackers root privileges** on **most major Linux distributions**. The flaw is anchored in the...
Linux kernel Dirty Frag local root escalation privilege-escalation flaw
VulnerabilityAbout this happening: **Dirty Frag** is a newly disclosed **Linux kernel** zero-day that can give **local attackers root privileges** on **most major Linux distributions**. The flaw is anchored in the...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical Analysis
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
**Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical AnalysisAbout this happening: **Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Cisco Catalyst SD-WAN active exploitation wave
Exploitation Wave
First: 05.03.2026 14:15
Last: 05.03.2026 14:15
Sources 1
About this happening:
**Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Cisco Catalyst SD-WAN active exploitation wave
Exploitation WaveAbout this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Timeline
-
16.10.2025 14:38 2 articles · 7mo ago
Operation Zero Disco exploits Cisco IOS and IOS XE
Exploitation ObservedTrend Micro disclosed Operation Zero Disco, a campaign that exploited CVE-2025-20352 in Cisco IOS Software and IOS XE Software as a zero-day to deploy Linux rootkits on older, unprotected systems. The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, and also included attempts to exploit a modified Telnet vulnerability based on CVE-2017-3881 to gain memory access, remote code execution, and persistent unauthorized access through universal passwords and hooks in IOSd memory space.
Show sources
- Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in "Zero Disco' Attacks — thehackernews.com — 16.10.2025 14:38
- Hackers exploit Cisco SNMP flaw to deploy rootkit on switches — www.bleepingcomputer.com — 16.10.2025 21:13
-
24.09.2025 19:52 4 articles · 8mo ago
Cisco releases fixes for exploited IOS and IOS XE zero-day
Initial DisclosureCisco issued security updates for Cisco IOS and IOS XE Software to remediate CVE-2025-20352, a high-severity zero-day stack-based buffer overflow in the SNMP subsystem affecting devices with SNMP enabled. Cisco said the vulnerability is being exploited in attacks, that crafted SNMP packets over IPv4 or IPv6 can trigger denial-of-service conditions on unpatched devices, and that high-privileged attackers may gain root code execution on vulnerable Cisco IOS XE systems; Cisco recommends upgrading to a fixed release or temporarily limiting SNMP access to trusted users.
Show sources
- Cisco warns of IOS zero-day vulnerability exploited in attacks — www.bleepingcomputer.com — 24.09.2025 19:52
- Cisco warns of IOS zero-day vulnerability exploited in attacks — www.bleepingcomputer.com — 24.09.2025 19:52
- Cisco Patches Zero-Day Flaw Affecting Routers and Switches — www.securityweek.com — 25.09.2025 11:40
- Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS — www.darkreading.com — 25.09.2025 22:22