Cisco Security Advisory
Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities
Click Icon to Copy Verbose Score
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
-
Multiple vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are mitigations that address these vulnerabilities.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW
-
Vulnerable Products
These vulnerabilities affect Cisco devices if they are running a vulnerable release of Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software with the SNMP feature enabled. These vulnerabilities affect all versions of SNMP (versions 1, 2c, and 3).
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether a device has SNMP v1 or v2c enabled, use the show running-configuration | include snmp-server community CLI command. If there is output, SNMP is enabled, as shown in the following example:
Router# show running-config | include snmp-server community
snmp-server community public roTo determine whether a device has SNMP v3 enabled, use the show running-configuration | include snmp-server group and show snmp user CLI commands. If there is output from both commands, SNMP v3 is enabled, as shown in the following example:
Router# show running-config | include snmp-server group
snmp-server group v3group v3 noauth
Router# show snmp user
User name: remoteuser1
Engine ID: 800000090300EE01E71C178C
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: v3group
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
-
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
Details about the vulnerabilities are as follows:
CVE-2025-20169, CVE-2025-20170, CVE-2025-20171, CVE-2025-20173, CVE-2025-20174, CVE-2025-20175, CVE-2025-20176: Cisco IOS and IOS XE Software SNMP Software Denial of Service Vulnerabilities
Multiple vulnerabilities in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.
These vulnerabilities are due to improper error handling when parsing SNMP requests. An attacker could exploit these vulnerabilities by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.
These vulnerabilities affect SNMP versions 1, 2c, and 3. To exploit these vulnerabilities through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit these vulnerabilities through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.
Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are mitigations that address these vulnerabilities.
Bug ID(s): CSCwm79581, CSCwm79554, CSCwm79564, CSCwm79590, CSCwm79570, CSCwm79596, CSCwm79577
CVE ID(s): CVE-2025-20169, CVE-2025-20170, CVE-2025-20171, CVE-2025-20173, CVE-2025-20174, CVE-2025-20175, CVE-2025-20176
Security Impact Rating (SIR): High
CVSS Base Score: 7.7
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HCVE-2025-20172: Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities
A vulnerability in the SNMP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.
This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. For Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. For Cisco IOS XR Software, a successful exploit could allow the attacker to cause the SNMP process to restart, resulting in an interrupted SNMP response from an affected device. Devices that are running Cisco IOS XR Software will not reload.
This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.
Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are mitigations that address these vulnerabilities.
Cisco IOS and IOS XE Software
Bug ID(s): CSCwm89600
CVE ID(s): CVE-2025-20172
Security Impact Rating (SIR): High
CVSS Base Score: 7.7
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HCisco IOS XR Software
Bug ID(s): CSCwn08493
CVE ID(s): CVE-2025-20172
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
-
There are no workarounds that address these vulnerabilities. However, there are mitigations. Cisco strongly recommends implementing these mitigations until fixed software is available and an upgrade can be performed.
Administrators can disable the vulnerable object identifiers (OIDs) on a device. Not all software will support each OID that is listed in the mitigation. If the OID is not valid for specific software, then it is not vulnerable to that specific vulnerability. Excluding these OIDs may affect device management through SNMP, such as discovery and hardware inventory.
As a best practice, SNMP access should be allowed only from trusted network devices. For configuration options, see Secure Your Simple Network Management Protocol.
To disable OIDs, complete the following steps:
1. Create an SNMP view with the standard security configurations.
snmp-server view SNMP_DOS iso included
snmp-server view SNMP_DOS snmpUsmMIB excluded
snmp-server view SNMP_DOS snmpVacmMIB excluded
snmp-server view SNMP_DOS snmpCommunityMIB excluded2. Exclude the vulnerable OIDs from the SNMP view.
Cisco IOS and IOS XE Software OIDs
snmp-server view SNMP_DOS ipAddressPrefixEntry.5 excluded
snmp-server view SNMP_DOS ipDefaultRouterEntry.4 excluded
snmp-server view SNMP_DOS tcp.19.1.7 excluded
snmp-server view SNMP_DOS tcp.20.1.4 excluded
snmp-server view SNMP_DOS udp.7.1.8 excluded
snmp-server view SNMP_DOS inetCidrRouteEntry.7 excluded
snmp-server view SNMP_DOS ospfv3AreaAggregateEntry.6 excluded
snmp-server view SNMP_DOS lispMappingDatabaseLocatorRlocPriority excluded
snmp-server view SNMP_DOS mplsVpnInterfaceConfEntry.2 excluded
snmp-server view SNMP_DOS mplsVpnVrfRouteTargetEntry.4 excluded
snmp-server view SNMP_DOS mplsVpnVrfBgpNbrAddrEntry.2 excluded
snmp-server view SNMP_DOS nhrpCachePrefixLength excluded
snmp-server view SNMP_DOS nhrpServerCacheAuthoritative excluded
snmp-server view SNMP_DOS nlmLogEntry.2 excluded
snmp-server view SNMP_DOS nlmLogVariableEntry.2 excluded
snmp-server view SNMP_DOS mplsXCLspId excluded
snmp-server view SNMP_DOS mplsLabelStackLabel excluded
snmp-server view SNMP_DOS cpaeMIBObject.5.1.3 excluded
snmp-server view SNMP_DOS cContextMappingBridgeDomainIdentifier excluded
snmp-server view SNMP_DOS cilmCurrentImageLevel excluded
snmp-server view SNMP_DOS cilmImageLicenseImageLevel excluded
snmp-server view SNMP_DOS cewProxyClass excluded
snmp-server view SNMP_DOS cewEventTime excluded
snmp-server view SNMP_DOS cpwVcPeerMappingVcIndex excluded
snmp-server view SNMP_DOS ciiSummAddrEntry excluded
snmp-server view SNMP_DOS mplsLdpLspFecStorageType excluded
snmp-server view SNMP_DOS mplsL3VpnIfConfEntry.2 excluded
snmp-server view SNMP_DOS mplsL3VpnVrfRTEntry.4 excluded
snmp-server view SNMP_DOS mplsL3VpnVrfRteEntry.7 excluded
snmp-server view SNMP_DOS ciscoFlashChipEntry excluded
snmp-server view SNMP_DOS cbgpPeer2CapValue excluded
snmp-server view SNMP_DOS cbgpPeer2AddrFamilyName excluded
snmp-server view SNMP_DOS cbgpPeer2AcceptedPrefixes excluded
snmp-server view SNMP_DOS callHomeDestEmailAddressEntry.2 excluded
snmp-server view SNMP_DOS callHomeSwInventoryEntry.3 excluded
snmp-server view SNMP_DOS cEigrpActive excluded
snmp-server view SNMP_DOS cipUrpfVrfIfDrops excluded
snmp-server view SNMP_DOS cefPathType excluded
snmp-server view SNMP_DOS cefAdjSource excluded
snmp-server view SNMP_DOS cefFESelectionSpecial excluded
snmp-server view SNMP_DOS cvVrfListVrfIndex excluded
snmp-server view SNMP_DOS ctspIpSgtMappingEntry.5 excluded
snmp-server view SNMP_DOS ciiRedistributeAddrEntry.4 excluded
snmp-server view SNMP_DOS ciiIPRAEntry.5 excluded
snmp-server view SNMP_DOS ciiLSPTLVEntry.2 excluded
snmp-server view SNMP_DOS ccmSeverityAlertGroupEntry.1 excluded
snmp-server view SNMP_DOS ccmPeriodicAlertGroupEntry.1 excluded
snmp-server view SNMP_DOS ccmPatternAlertGroupEntry.2 excluded
snmp-server view SNMP_DOS callHomeUserDefCmdEntry.2 excluded
snmp-server view SNMP_DOS ccmEventAlertGroupEntry.1 excluded
snmp-server view SNMP_DOS cipsStaticCryptomapType excluded
snmp-server view SNMP_DOS ciscoFlashFileEntry.2 excludedCisco IOS XR Software OIDS
snmp-server view SNMP_DOS udp.7.1.8 excluded
snmp-server view SNMP_DOS tcp.19.1.7 excluded
snmp-server view SNMP_DOS tcp.20.1.4 excluded
snmp-server view SNMP_DOS inetCidrRouteEntry.7 excluded
snmp-server view SNMP_DOS ipAddressPrefixEntry.5 excluded
snmp-server view SNMP_DOS ipDefaultRouterEntry.4 excluded
snmp-server view SNMP_DOS 1.3.6.1.2.1.191.1.12.1.6 excluded
snmp-server view SNMP_DOS 1.3.6.1.2.1.92.1.3.1.1.2 excluded
snmp-server view SNMP_DOS 1.3.6.1.2.1.92.1.3.2.1.2 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.10.106.1.7.1.5 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.10.106.1.8.1.5 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.171.1.2.2.1.6 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.171.1.2.4.1.7 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.1.1.1.7 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.2.6.1.3 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.2.7.1.3 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.9.187.1.2.8.1.1 excluded
snmp-server view SNMP_DOS 1.3.6.1.2.1.10.166.4.1.3.10.1.4 excluded
snmp-server view SNMP_DOS 1.3.6.1.4.1.9.10.62.1.2.3.3.1.2 excludedFor SNMP v1 or v2c, apply this configuration to all configured community strings. Use the following command:
snmp-server community mycomm view SNMP_DOS RO
For SNMP v3, apply this to all configured SNMP users using the following command:
snmp-server group v3group v3 auth read SNMP_DOS write SNMP_DOS
While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
Cisco plans to release free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.htmlAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
In the following tables, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerabilities that are described in this advisory and the first release that includes the fix for these vulnerabilities. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.
IOS and IOS XE Software
Cisco IOS Software Release First Fixed Release 15.2E 15.2(7)E12 (Mar 2025) 15.5SY 15.5(1)SY15 (Mar 2025) 15.9M 15.9(3)M11 (Mar 2025)
Cisco IOS XE Software Release First Fixed Release 3.11E 3.11.12E (Mar 2025) 16.12 16.12.13 (Mar 2025) 17.9 17.9.7 (Mar 2025) 17.12 17.12.5 (Mar 2025) 17.15 17.15.3 (Mar 2025) For the most up to date and accurate information, use the Cisco IOS and IOS XE Software Checker.
IOS and IOS XE Software Checker
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to determine whether a release is affected by any Cisco Security Advisory. To use the form, follow these steps:
- Choose which advisories the tool will search-only this advisory, only advisories with a Critical or High Security Impact Rating (SIR), or all advisories.
- Enter a release number-for example, 15.9(3)M2 or 17.3.3.
- Click Check.
IOS XR Software
Cisco IOS XR Software Release First Fixed Release 24.2 and earlier 24.2.21 24.3 Migrate to a fixed release. 24.4 24.4.2 25.2 25.2.1 For the most up-to-date release information, see CSCwn08493.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
-
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory.
-
Cisco would like to thank leg00m working with Trend Micro Zero Day Initiative for reporting these vulnerabilities.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.1 Corrected a link on a bug ID. Updated the dates for fixed software. Details and Fixed Releases Final 2025-MAR-12 1.0 Initial public release. - Final 2025-FEB-05
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.