CVE-2025-20172 Overview
CVE-2025-20172 is a denial-of-service (DoS) vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. An authenticated, remote attacker can send a crafted SNMP request to trigger improper error handling during request parsing. On Cisco IOS and IOS XE devices, successful exploitation causes the device to reload unexpectedly. On Cisco IOS XR devices, the SNMP process restarts and interrupts SNMP responses, but the device itself does not reload. The vulnerability affects SNMP versions 1, 2c, and 3, and requires a valid community string or SNMP user credentials.
Critical Impact
A single crafted SNMP packet from an authenticated attacker can force affected Cisco IOS and IOS XE devices into an unexpected reload, disrupting routing, switching, and management plane availability across enterprise and service provider networks.
Affected Products
- Cisco IOS Software (multiple 12.2, 15.x releases)
- Cisco IOS XE Software (3.x, 16.x, 17.x release trains)
- Cisco IOS XR Software (7.x, 24.x release trains)
Discovery Timeline
- 2025-02-05 - CVE-2025-20172 published to NVD
- 2025-07-03 - Last updated in NVD database
Technical Details for CVE-2025-20172
Vulnerability Analysis
The vulnerability resides in the SNMP subsystem shared by Cisco IOS, IOS XE, and IOS XR. When the SNMP engine parses an incoming request, it fails to correctly handle specific error conditions in the protocol data unit (PDU). This corresponds to [CWE-248] Uncaught Exception, where an unhandled error path terminates the responsible process.
On Cisco IOS and IOS XE, the SNMP daemon runs in the same process space as core device functions. An uncaught exception there propagates upward and forces a full device reload. On Cisco IOS XR, the SNMP service is process-isolated, so the impact is contained to a service restart that interrupts ongoing SNMP responses.
All three SNMP versions are affected. Versions 1 and 2c require knowledge of a read-only or read-write community string. Version 3 requires valid user credentials. Authentication lowers the bar for exploitation in environments where SNMP credentials are widely shared, reused, or weakly protected.
Root Cause
The root cause is improper error handling within the SNMP request parsing routine. Malformed or unexpected field combinations in an SNMP PDU trigger an exception path that the code does not gracefully recover from, terminating the SNMP process or the entire IOS/IOS XE image.
Attack Vector
An attacker with valid SNMP credentials sends a crafted SNMP GET, GETNEXT, GETBULK, or SET request to UDP port 161 on the management interface of an affected device. No user interaction is required. The crafted PDU triggers the unhandled exception and forces a reload (IOS, IOS XE) or SNMP process restart (IOS XR). Repeated requests can produce a sustained outage on platforms that reload, since each successful exploit re-triggers the boot cycle.
Detection Methods for CVE-2025-20172
Indicators of Compromise
- Unexpected device reloads on Cisco IOS or IOS XE platforms with no preceding configuration change or hardware fault, often accompanied by crash logs referencing the SNMP process.
- Repeated SNMP process restarts on Cisco IOS XR platforms, visible in show processes output and system logs.
- Inbound SNMP traffic to UDP port 161 from unexpected source addresses, particularly from hosts outside the documented network management station (NMS) inventory.
Detection Strategies
- Correlate device crash and reload events with SNMP traffic captured at the network edge or on management VLANs to identify request-driven reloads.
- Inspect syslog and crashinfo files for SNMP-related tracebacks following unscheduled reloads on IOS and IOS XE devices.
- Baseline normal SNMP polling patterns from authorized NMS hosts and alert on deviations, including unusual OIDs, oversized PDUs, or off-hours queries.
Monitoring Recommendations
- Enable AAA command accounting and SNMP logging to record the source of SNMP authentication events and tie them to specific community strings or v3 users.
- Forward device syslog and SNMP traps to a centralized log platform for retention and correlation with network telemetry.
- Monitor device uptime metrics and alert on unexpected resets across the routing and switching fleet.
How to Mitigate CVE-2025-20172
Immediate Actions Required
- Apply the fixed software releases identified in the Cisco Security Advisory for IOS, IOS XE, and IOS XR.
- Restrict SNMP access to authorized NMS hosts only by applying interface ACLs and SNMP server view restrictions.
- Rotate SNMP community strings and SNMPv3 credentials, and remove any default or shared values still in use.
- Audit which devices have SNMP write access enabled and disable it where not strictly required.
Patch Information
Cisco has released fixed software for affected IOS, IOS XE, and IOS XR trains. Refer to the Cisco Security Advisory cisco-sa-snmp-dos-sdxnSUcW for the complete list of fixed releases and upgrade guidance per platform.
Workarounds
- Exclude vulnerable Object Identifiers (OIDs) from SNMP views as documented by Cisco in the advisory, which prevents the affected code path from being reached.
- Apply infrastructure ACLs (iACLs) on edge and management interfaces to permit SNMP only from a defined set of NMS source addresses.
- Where SNMP is not required for operations, disable the SNMP server entirely with no snmp-server to remove the attack surface.
# Configuration example: restrict SNMP to authorized NMS hosts
ip access-list standard ACL-SNMP-NMS
permit host 10.10.10.5
permit host 10.10.10.6
deny any log
!
snmp-server community <STRONG-COMMUNITY> RO ACL-SNMP-NMS
!
# Optional: exclude vulnerable OIDs per Cisco advisory
snmp-server view RESTRICTED iso included
snmp-server view RESTRICTED <vulnerable-OID> excluded
snmp-server group OPS v3 priv read RESTRICTED access ACL-SNMP-NMS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
