Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities – Source:sec.cloudapps.cisco.com

High

Summary

• Multiple vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

  For more information about these vulnerabilities, see the Details section of this advisory.

  Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are mitigations that address these vulnerabilities.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW

Affected Products

• These vulnerabilities affect Cisco devices if they are running a vulnerable release of Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software with the SNMP feature enabled. These vulnerabilities affect all versions of SNMP (versions 1, 2c, and 3).

  For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

  Determine the Device Configuration

  To determine whether a device has SNMP v1 or v2c enabled, use the show running-configuration | include snmp-server community CLI command. If there is output, SNMP is enabled, as shown in the following example:

  Router# show running-config | include snmp-server community
  snmp-server community public ro

  To determine whether a device has SNMP v3 enabled, use the show running-configuration | include snmp-server group and show snmp user CLI commands. If there is output from both commands, SNMP v3 is enabled, as shown in the following example:

  Router# show running-config | include snmp-server group
  snmp-server group v3group v3 noauth
  Router# show snmp user
  User name: remoteuser1
  Engine ID: 800000090300EE01E71C178C
  storage-type: nonvolatile     active
  Authentication Protocol: SHA
  Privacy Protocol: None
  Group-name: v3group   

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.

Details

• The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

  Details about the vulnerabilities are as follows:

  CVE-2025-20169, CVE-2025-20170, CVE-2025-20171, CVE-2025-20173, CVE-2025-20174, CVE-2025-20175, CVE-2025-20176: Cisco IOS and IOS XE Software SNMP Software Denial of Service Vulnerabilities

  Multiple vulnerabilities in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.

  These vulnerabilities are due to improper error handling when parsing SNMP requests. An attacker could exploit these vulnerabilities by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.

  These vulnerabilities affect SNMP versions 1, 2c, and 3. To exploit these vulnerabilities through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit these vulnerabilities through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

  Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are mitigations that address these vulnerabilities.

  Bug ID(s): CSCwm79581, CSCwm79554, CSCwm79564, CSCwm79590, CSCwm79570, CSCwm79596, CSCwm79577
  CVE ID(s): CVE-2025-20169, CVE-2025-20170, CVE-2025-20171, CVE-2025-20173, CVE-2025-20174, CVE-2025-20175, CVE-2025-20176
  Security Impact Rating (SIR): High
  CVSS Base Score: 7.7
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

  CVE-2025-20172: Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities

  A vulnerability in the SNMP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.

  This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. For Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. For Cisco IOS XR Software, a successful exploit could allow the attacker to cause the SNMP process to restart, resulting in an interrupted SNMP response from an affected device. Devices that are running Cisco IOS XR Software will not reload.

  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

  Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are mitigations that address these vulnerabilities.

  Cisco IOS and IOS XE Software

  Bug ID(s): CCSCwm89600
  CVE ID(s): CVE-2025-20172
  Security Impact Rating (SIR): High
  CVSS Base Score: 7.7
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

  Cisco IOS XR Software

  Bug ID(s): CSCwn08493
  CVE ID(s): CVE-2025-20172
  Security Impact Rating (SIR): Medium
  CVSS Base Score: 4.3
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Workarounds

• There are no workarounds that address these vulnerabilities. However, there are mitigations. Cisco strongly recommends implementing these mitigations until fixed software is available and an upgrade can be performed.

  Administrators can disable the vulnerable object identifiers (OIDs) on a device. Not all software will support each OID that is listed in the mitigation. If the OID is not valid for specific software, then it is not vulnerable to that specific vulnerability. Excluding these OIDs may affect device management through SNMP, such as discovery and hardware inventory.

  As a best practice, SNMP access should be allowed only from trusted network devices. For configuration options, see Secure Your Simple Network Management Protocol.

  To disable OIDs, complete the following steps:

  1. Create an SNMP view with the standard security configurations.

  snmp-server view SNMP_DOS iso included
  snmp-server view SNMP_DOS snmpUsmMIB excluded
  snmp-server view SNMP_DOS snmpVacmMIB excluded
  snmp-server view SNMP_DOS snmpCommunityMIB excluded

  2. Exclude the vulnerable OIDs from the SNMP view.

  Cisco IOS and IOS XE Software OIDs

  snmp-server view SNMP_DOS ipAddressPrefixEntry.5 excluded
  snmp-server view SNMP_DOS ipDefaultRouterEntry.4 excluded
  snmp-server view SNMP_DOS tcp.19.1.7 excluded
  snmp-server view SNMP_DOS tcp.20.1.4 excluded
  snmp-server view SNMP_DOS udp.7.1.8 excluded
  snmp-server view SNMP_DOS inetCidrRouteEntry.7 excluded
  snmp-server view SNMP_DOS ospfv3AreaAggregateEntry.6 excluded
  snmp-server view SNMP_DOS lispMappingDatabaseLocatorRlocPriority excluded
  snmp-server view SNMP_DOS mplsVpnInterfaceConfEntry.2 excluded
  snmp-server view SNMP_DOS mplsVpnVrfRouteTargetEntry.4 excluded
  snmp-server view SNMP_DOS mplsVpnVrfBgpNbrAddrEntry.2 excluded
  snmp-server view SNMP_DOS nhrpCachePrefixLength excluded
  snmp-server view SNMP_DOS nhrpServerCacheAuthoritative excluded
  snmp-server view SNMP_DOS nlmLogEntry.2 excluded
  snmp-server view SNMP_DOS nlmLogVariableEntry.2 excluded
  snmp-server view SNMP_DOS mplsXCLspId excluded
  snmp-server view SNMP_DOS mplsLabelStackLabel excluded
  snmp-server view SNMP_DOS cpaeMIBObject.5.1.3 excluded
  snmp-server view SNMP_DOS cContextMappingBridgeDomainIdentifier excluded
  snmp-server view SNMP_DOS cilmCurrentImageLevel excluded
  snmp-server view SNMP_DOS cilmImageLicenseImageLevel excluded
  snmp-server view SNMP_DOS cewProxyClass excluded
  snmp-server view SNMP_DOS cewEventTime excluded
  snmp-server view SNMP_DOS cpwVcPeerMappingVcIndex excluded
  snmp-server view SNMP_DOS ciiSummAddrEntry excluded
  snmp-server view SNMP_DOS mplsLdpLspFecStorageType excluded
  snmp-server view SNMP_DOS mplsL3VpnIfConfEntry.2 excluded
  snmp-server view SNMP_DOS mplsL3VpnVrfRTEntry.4 excluded
  snmp-server view SNMP_DOS mplsL3VpnVrfRteEntry.7 excluded
  snmp-server view SNMP_DOS ciscoFlashChipEntry excluded
  snmp-server view SNMP_DOS cbgpPeer2CapValue excluded
  snmp-server view SNMP_DOS cbgpPeer2AddrFamilyName excluded
  snmp-server view SNMP_DOS cbgpPeer2AcceptedPrefixes excluded
  snmp-server view SNMP_DOS callHomeDestEmailAddressEntry.2 excluded
  snmp-server view SNMP_DOS callHomeSwInventoryEntry.3 excluded
  snmp-server view SNMP_DOS cEigrpActive excluded
  snmp-server view SNMP_DOS cipUrpfVrfIfDrops excluded
  snmp-server view SNMP_DOS cefPathType excluded
  snmp-server view SNMP_DOS cefAdjSource excluded
  snmp-server view SNMP_DOS cefFESelectionSpecial excluded
  snmp-server view SNMP_DOS cvVrfListVrfIndex excluded
  snmp-server view SNMP_DOS ctspIpSgtMappingEntry.5 excluded
  snmp-server view SNMP_DOS ciiRedistributeAddrEntry.4 excluded
  snmp-server view SNMP_DOS ciiIPRAEntry.5 excluded
  snmp-server view SNMP_DOS ciiLSPTLVEntry.2 excluded
  snmp-server view SNMP_DOS ccmSeverityAlertGroupEntry.1 excluded
  snmp-server view SNMP_DOS ccmPeriodicAlertGroupEntry.1 excluded
  snmp-server view SNMP_DOS ccmPatternAlertGroupEntry.2 excluded
  snmp-server view SNMP_DOS callHomeUserDefCmdEntry.2 excluded
  snmp-server view SNMP_DOS ccmEventAlertGroupEntry.1 excluded
  snmp-server view SNMP_DOS cipsStaticCryptomapType excluded
  snmp-server view SNMP_DOS ciscoFlashFileEntry.2 excluded

  Cisco IOS XR Software OIDS

  snmp-server view SNMP_DOS udp.7.1.8 excluded
  snmp-server view SNMP_DOS tcp.19.1.7 excluded
  snmp-server view SNMP_DOS tcp.20.1.4 excluded
  snmp-server view SNMP_DOS inetCidrRouteEntry.7 excluded
  snmp-server view SNMP_DOS ipAddressPrefixEntry.5 excluded
  snmp-server view SNMP_DOS ipDefaultRouterEntry.4 excluded
  snmp-server view SNMP_DOS 1.3.6.1.2.1.191.1.12.1.6 excluded
  snmp-server view SNMP_DOS 1.3.6.1.2.1.92.1.3.1.1.2 excluded
  snmp-server view SNMP_DOS 1.3.6.1.2.1.92.1.3.2.1.2 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.10.106.1.7.1.5 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.10.106.1.8.1.5 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.171.1.2.2.1.6 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.171.1.2.4.1.7 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.1.1.1.7 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.2.6.1.3 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.2.7.1.3 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.2.8.1.1 excluded
  snmp-server view SNMP_DOS 1.3.6.1.2.1.10.166.4.1.3.10.1.4 excluded
  snmp-server view SNMP_DOS 1.3.6.1.4.1.9.10.62.1.2.3.3.1.2 excluded

  For SNMP v1 or v2c, apply this configuration to all configured community strings. Use the following command:

  snmp-server community mycomm view SNMP_DOS RO

  For SNMP v3, apply this to all configured SNMP users using the following command:

  snmp-server group v3group v3 auth read SNMP_DOS write SNMP_DOS

  While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

• Cisco plans to release free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

  Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

  The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Customers Without Service Contracts

  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  Fixed Releases

  In the following tables, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerabilities that are described in this advisory and the first release that includes the fix for these vulnerabilities. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.

  IOS and IOS XE Software

  Cisco IOS Software Release	First Fixed Release
  15.2E	15.2(7)E12 (Mar 2025)
  15.5SY	15.5(1)SY15 (Mar 2025)
  15.9M	15.9(3)M11 (Feb 2025)

  Cisco IOS XE Software Release	First Fixed Release
  3.11E	3.11.12E (Mar 2025)
  16.12	16.12.13 (Mar 2025)
  17.9	17.9.7 (Mar 2025)
  17.12	17.12.5 (Feb 2025)
  17.15	17.15.3 (Mar 2025)

  For the most up to date and accurate information, use the Cisco IOS and IOS XE Software Checker.

  IOS and IOS XE Software Checker

  To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).

  To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to determine whether a release is affected by any Cisco Security Advisory. To use the form, follow these steps:

  1. Choose which advisories the tool will search-only this advisory, only advisories with a Critical or High Security Impact Rating (SIR), or all advisories.
  2. Enter a release number-for example, 15.9(3)M2 or 17.3.3.
  3. Click Check.

  IOS XR Software

  Cisco IOS XR Software Release	First Fixed Release
  24.2 and earlier	24.2.21
  24.3	Migrate to a fixed release.
  24.4	24.4.2
  25.2	25.2.1

  For the most up-to-date release information, see CSCwn08493.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory.

Source

• Cisco would like to thank leg00m working with Trend Micro Zero Day Initiative for reporting these vulnerabilities.

Cisco Security Vulnerability Policy

• To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

• Subscribe

Related to This Advisory

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	–	Final	2025-FEB-05

  Show Less

Feedback

• Leave additional feedback