Lucene search
K

Cisco IOS XE Software SNMP DoS RCE (cisco-sa-snmp-x4LPhte)

🗓️ 03 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 5 Views

Cisco IOS XE SNMP stack overflow may cause DoS or root code execution with crafted packets.

Related
Refs
Code
#TRUSTED 1544e03b1482e893c819ef841a05c98a5d8d54ed6df2930ebb562c86497a083b2d0f6444cf3b466b832a85938b707db1250e27c4065ffddbc46b00b22ffc93a4f0bec013b1816d791948f5c73a37f6911d4304d42e699d3c66eec168422474483e82f850d0e804a85c07ad0d0cd8e519187790a9b43b6e3dc5bff2fc78cbf0b723299b5f8027e7ef3032459db19a4f67ebbe209e7ad007b9778274594fdc3945a402f2088b1277f8f5666ad93d477f8d590ec2ac8401b822aeac744d042bd17009d1637d08290234953d19d2503331e278a00ebcfb50b3d7603136110c380e61c5f2334400b53a01ac55b440a6e0bb28b23129b442359ffaa575acc8dcbadfab533870ee5d3b363498886281e584a5b8a296d72f61d6acd269acb1412157541c8e7f7c72fe1a8064657d80f81a117bdef3d40f6b311d5b1678dedbfa4631251f47bdd9a4138bda7330bd58886d13ab1ec3b8476cd8aa141b344d9a89f439b10c86d3b65942ddce0081b722a118dbdb5cf4b2398a2ffe9935bec68afcdc18046f0c19362c213d8b7ffc8c0738db2add820b8a624d80135f6086fa8804c3f0efbb6be1bd7d14ea7aa5fbb0f4b70e6244026f2821e7438f2e678dfca7bc54e903dc7cbeb418934729b00a9d6fe287d80615fd74dadfb533a662c26dafc18c775f8a1c5042eca6ade871ba478ee401ceec011ba53c2b546f9294991d998deb10c028
#TRUST-RSA-SHA256 5d05a2b1e6af1851cc9202b5f80af985e0a2c577156fecd9ca05a5e8eaece4a84472cde11eff8e742008501068aa96e0c90d7388c2faf72f512305216069b36096188ebe46dab5b3561b25fa898b919097098e0c027d9f4e87465da78537149fa7d53aeb273a24170718ea05baecbb8089b54506b4cfcbf5a951ca0da4facb2719ba9ee9620d82dc2093f29e18c79909ebbfa29e6a3c2977dba4d137cf418c36217986fa84f1f8fe636c6dba80e2cbeef54fa92ad3163cf361272fd8e72c6977e086beb42cb2ec308d27341774c727af2a374339bc49dea37ef2751096921b1b901030ef6453b7e52df58f7070780e7160f1127d633ada858a006f5413f98b0c995b0d9e488d11bc56296a9539d1e627055588f9f220ab8ace53b0803601d6331bd5af0b283bf619237079dcbbfaf6ef106fdec1d1140eeb1e79cf6f6c07aae20626ab5c3bdf89e3f08074969abcac200ad88bbf40e82e5e2726ed1ce826b8a69fae154e919a70e5bbc1d95cdf38c31e74b32de147fa473421398c2082d36bb93f6eb0f63b1d9767a8f5702b6dd982108e4bab15572db547720537753010be070c499e1a37ddede9643220cdb174fb8bf472de16d0319fea3bd8a82e7aeee9d69c3ff0bbae41e5377c4e7d3170adbacf514db5da7b3e30139891b8bfdfacb5c56efe2002c14bd71ccd7ef045ea8289f95be0880c90fac35e45380e1f0345d2b5
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(266453);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/16");

  script_cve_id("CVE-2025-20352");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwq31287");
  script_xref(name:"CISCO-SA", value:"cisco-sa-snmp-x4LPhte");
  script_xref(name:"IAVA", value:"2025-A-0701");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/10/20");

  script_name(english:"Cisco IOS XE Software SNMP DoS RCE (cisco-sa-snmp-x4LPhte)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

  - A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco
    IOS XE Software could allow the following:  An authenticated, remote attacker with low privileges could
    cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or
    Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community
    string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could
    execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code
    as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user
    credentials and administrative or privilege 15 credentials on the affected device. An attacker could
    exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6
    networks.  This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected
    software. A successful exploit could allow a low-privileged attacker to cause the affected system to
    reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the
    root user and obtain full control of the affected system.  Note: This vulnerability affects all versions
    of SNMP. (CVE-2025-20352)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7b02fe37");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75296
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?acad5d9e");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq31287");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwq31287");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-20352");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/03");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
var model = product_info.model;
if (empty_or_null(model)) model = '';

var version_list=make_list(
  '3.5.0E',
  '3.5.0SQ',
  '3.5.1E',
  '3.5.1SQ',
  '3.5.2E',
  '3.5.2SQ',
  '3.5.3E',
  '3.5.3SQ',
  '3.5.4SQ',
  '3.5.5SQ',
  '3.5.6SQ',
  '3.5.7SQ',
  '3.5.8SQ',
  '3.6.0E',
  '3.6.0aE',
  '3.6.0bE',
  '3.6.1E',
  '3.6.2E',
  '3.6.2aE',
  '3.6.3E',
  '3.6.4E',
  '3.6.5E',
  '3.6.5aE',
  '3.6.6E',
  '3.6.7E',
  '3.6.7aE',
  '3.6.7bE',
  '3.6.8E',
  '3.6.9E',
  '3.6.9aE',
  '3.6.10E',
  '3.7.0E',
  '3.7.1E',
  '3.7.2E',
  '3.7.3E',
  '3.7.4E',
  '3.7.5E',
  '3.8.0E',
  '3.8.1E',
  '3.8.2E',
  '3.8.3E',
  '3.8.4E',
  '3.8.5E',
  '3.8.5aE',
  '3.8.6E',
  '3.8.7E',
  '3.8.8E',
  '3.8.9E',
  '3.8.10E',
  '3.8.10cE',
  '3.8.10dE',
  '3.9.0E',
  '3.9.1E',
  '3.9.2E',
  '3.9.2bE',
  '3.10.0E',
  '3.10.0cE',
  '3.10.1E',
  '3.10.1aE',
  '3.10.1sE',
  '3.10.2E',
  '3.10.3E',
  '3.11.0E',
  '3.11.1E',
  '3.11.1aE',
  '3.11.2E',
  '3.11.2aE',
  '3.11.3E',
  '3.11.3aE',
  '3.11.4E',
  '3.11.5E',
  '3.11.6E',
  '3.11.7E',
  '3.11.8E',
  '3.11.9E',
  '3.11.10E',
  '3.11.11E',
  '3.11.12E',
  '3.14.0S',
  '3.14.1S',
  '3.14.2S',
  '3.14.3S',
  '3.14.4S',
  '3.15.0S',
  '3.15.1S',
  '3.15.1cS',
  '3.15.2S',
  '3.15.3S',
  '3.15.4S',
  '3.16.0S',
  '3.16.0aS',
  '3.16.0bS',
  '3.16.0cS',
  '3.16.1S',
  '3.16.1aS',
  '3.16.2S',
  '3.16.2aS',
  '3.16.2bS',
  '3.16.3S',
  '3.16.3aS',
  '3.16.4S',
  '3.16.4aS',
  '3.16.4bS',
  '3.16.4cS',
  '3.16.4dS',
  '3.16.4eS',
  '3.16.4gS',
  '3.16.5S',
  '3.16.5aS',
  '3.16.5bS',
  '3.16.6S',
  '3.16.6bS',
  '3.16.7S',
  '3.16.7aS',
  '3.16.7bS',
  '3.16.8S',
  '3.16.9S',
  '3.16.10S',
  '3.16.10aS',
  '3.16.10bS',
  '3.17.0S',
  '3.17.1S',
  '3.17.1aS',
  '3.17.2S',
  '3.17.3S',
  '3.17.4S',
  '3.18.0S',
  '3.18.0SP',
  '3.18.0aS',
  '3.18.1S',
  '3.18.1SP',
  '3.18.1aSP',
  '3.18.1bSP',
  '3.18.1cSP',
  '3.18.1gSP',
  '3.18.1hSP',
  '3.18.1iSP',
  '3.18.2S',
  '3.18.2SP',
  '3.18.2aSP',
  '3.18.3S',
  '3.18.3SP',
  '3.18.3aSP',
  '3.18.3bSP',
  '3.18.4S',
  '3.18.4SP',
  '3.18.5SP',
  '3.18.6SP',
  '3.18.7SP',
  '3.18.8aSP',
  '3.18.9SP',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.6.4',
  '16.6.4a',
  '16.6.4s',
  '16.6.5',
  '16.6.5a',
  '16.6.5b',
  '16.6.6',
  '16.6.7',
  '16.6.7a',
  '16.6.8',
  '16.6.9',
  '16.6.10',
  '16.7.1',
  '16.7.1a',
  '16.7.1b',
  '16.7.2',
  '16.7.3',
  '16.7.4',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1c',
  '16.8.1d',
  '16.8.1e',
  '16.8.1s',
  '16.8.2',
  '16.8.3',
  '16.9.1',
  '16.9.1a',
  '16.9.1b',
  '16.9.1c',
  '16.9.1d',
  '16.9.1s',
  '16.9.2',
  '16.9.2a',
  '16.9.2s',
  '16.9.3',
  '16.9.3a',
  '16.9.3h',
  '16.9.3s',
  '16.9.4',
  '16.9.4c',
  '16.9.5',
  '16.9.5f',
  '16.9.6',
  '16.9.7',
  '16.9.8',
  '16.9.8a',
  '16.9.8b',
  '16.10.1',
  '16.10.1a',
  '16.10.1b',
  '16.10.1c',
  '16.10.1d',
  '16.10.1e',
  '16.10.1f',
  '16.10.1g',
  '16.10.1s',
  '16.10.2',
  '16.10.3',
  '16.11.1',
  '16.11.1a',
  '16.11.1b',
  '16.11.1c',
  '16.11.1s',
  '16.11.2',
  '16.12.1',
  '16.12.1a',
  '16.12.1c',
  '16.12.1s',
  '16.12.1t',
  '16.12.1w',
  '16.12.1x',
  '16.12.1y',
  '16.12.1z',
  '16.12.1z1',
  '16.12.1z2',
  '16.12.2',
  '16.12.2a',
  '16.12.2s',
  '16.12.2t',
  '16.12.3',
  '16.12.3a',
  '16.12.3s',
  '16.12.4',
  '16.12.4a',
  '16.12.5',
  '16.12.5a',
  '16.12.5b',
  '16.12.6',
  '16.12.6a',
  '16.12.7',
  '16.12.8',
  '16.12.9',
  '16.12.10',
  '16.12.10a',
  '16.12.11',
  '16.12.12',
  '16.12.13',
  '17.1.1',
  '17.1.1a',
  '17.1.1s',
  '17.1.1t',
  '17.1.2',
  '17.1.3',
  '17.2.1',
  '17.2.1a',
  '17.2.1r',
  '17.2.1v',
  '17.2.2',
  '17.2.3',
  '17.3.1',
  '17.3.1a',
  '17.3.1w',
  '17.3.1x',
  '17.3.1z',
  '17.3.2',
  '17.3.2a',
  '17.3.3',
  '17.3.3a',
  '17.3.4',
  '17.3.4a',
  '17.3.4b',
  '17.3.4c',
  '17.3.5',
  '17.3.5a',
  '17.3.5b',
  '17.3.6',
  '17.3.7',
  '17.3.8',
  '17.3.8a',
  '17.4.1',
  '17.4.1a',
  '17.4.1b',
  '17.4.1c',
  '17.4.2',
  '17.4.2a',
  '17.5.1',
  '17.5.1a',
  '17.6.1',
  '17.6.1a',
  '17.6.1w',
  '17.6.1x',
  '17.6.1y',
  '17.6.1z',
  '17.6.1z1',
  '17.6.2',
  '17.6.3',
  '17.6.3a',
  '17.6.4',
  '17.6.5',
  '17.6.5a',
  '17.6.6',
  '17.6.6a',
  '17.6.7',
  '17.6.8',
  '17.6.8a',
  '17.7.1',
  '17.7.1a',
  '17.7.1b',
  '17.7.2',
  '17.8.1',
  '17.8.1a',
  '17.9.1',
  '17.9.1a',
  '17.9.1w',
  '17.9.1x',
  '17.9.1x1',
  '17.9.1y',
  '17.9.1y1',
  '17.9.2',
  '17.9.2a',
  '17.9.3',
  '17.9.3a',
  '17.9.4',
  '17.9.4a',
  '17.9.5',
  '17.9.5a',
  '17.9.5b',
  '17.9.5c',
  '17.9.5d',
  '17.9.5e',
  '17.9.5f',
  '17.9.6',
  '17.9.6a',
  '17.9.6b',
  '17.9.7',
  '17.9.7a',
  '17.9.7b',
  '17.10.1',
  '17.10.1a',
  '17.10.1b',
  '17.11.1',
  '17.11.1a',
  '17.12.1',
  '17.12.1a',
  '17.12.1w',
  '17.12.1x',
  '17.12.1y',
  '17.12.1z',
  '17.12.1z1',
  '17.12.1z2',
  '17.12.1z3',
  '17.12.1z4',
  '17.12.2',
  '17.12.2a',
  '17.12.3',
  '17.12.3a',
  '17.12.4',
  '17.12.4a',
  '17.12.4b',
  '17.12.5',
  '17.12.5a',
  '17.12.5b',
  '17.12.5c',
  '17.13.1',
  '17.13.1a',
  '17.14.1',
  '17.14.1a',
  '17.15.1',
  '17.15.1a',
  '17.15.1b',
  '17.15.1w',
  '17.15.1x',
  '17.15.1y',
  '17.15.1z',
  '17.15.2',
  '17.15.2a',
  '17.15.2b',
  '17.15.2c',
  '17.15.3',
  '17.15.3a',
  '17.15.3b',
  '17.15.4',
  '17.16.1',
  '17.16.1a',
  '17.17.1',
  '17.18.1'
);

var bid = 'CSCwq31287';
var smus = {};
if (model =~ "^C9(200|300|400|500|600|800)") smus['17.15.4'] = bid;

var workarounds = make_list(CISCO_WORKAROUNDS['snmp_v1_or_v2c_enabled'], CISCO_WORKAROUNDS['snmp_v3_enabled']);

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_WARNING,
  'version' , product_info['version'],
  'bug_id'  , bid
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  reporting:reporting,
  smus:smus,
  vuln_versions:version_list
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Jun 2026 00:00Current
9.2High risk
Vulners AI Score9.2
CVSS 3.17.7
EPSS0.37613
SSVC
5