Cisco IOS XE Flaws Enable Remote Code Execution and Device Takeover
Multiple vulnerabilities in Cisco IOS and Cisco IOS XE devices have exposed routers, switches, access points, and Catalyst 9000 platforms to severe compromise, including remote code execution, denial of service, access control bypass, privilege escalation, secure boot bypass, cross-site scripting, and memory corruption. Traficom highlighted newly disclosed flaws such as CVE-2025-20334 and CVE-2025-20363, which may allow arbitrary code execution, and urged organizations to update affected products in line with Cisco’s version-specific advisories.
The warning follows earlier real-world attacks against internet-exposed Cisco IOS XE Web GUI instances, where attackers exploited CVE-2023-20198 and CVE-2023-20273 to create unauthorized administrator accounts, install a backdoor implant, and seize full control of devices. Cisco Talos reported the campaign affected exposed systems internationally, with tens of thousands of vulnerable devices identified online, while Finnish authorities said some domestic devices had already been backdoored and advised restricting Web GUI access to trusted networks or removing public internet exposure entirely.
Timeline
Sep 26, 2025
Authorities recommend updating affected Cisco IOS and IOS XE products
The 2025 advisory recommended that organizations update affected Cisco products in line with Cisco’s version-specific guidance and advisories. The notice highlighted management interfaces, SNMP, TACACS+, certificate services, and Cisco Catalyst 9000 platforms among the affected areas.
Sep 26, 2025
Cisco discloses multiple new IOS and IOS XE vulnerabilities
A later security notice described multiple vulnerabilities affecting Cisco IOS and IOS XE devices, including remote code execution, denial of service, access control bypass, privilege escalation, secure boot bypass, cross-site scripting, and memory corruption flaws. Notable issues included CVE-2025-20334 and CVE-2025-20363, both of which could enable remote arbitrary code execution.
Oct 27, 2023
Finnish authorities warn owners of exposed Cisco IOS XE devices
Finland’s Kyberturvallisuuskeskus alerted local owners of internet-exposed Cisco IOS XE devices and advised restricting Web GUI access to trusted networks or removing public exposure. It said the number of detected vulnerable devices in Finland had fallen from about 40 to under 20, though some already showed signs of the backdoor malware.
Oct 22, 2023
Cisco begins releasing security updates for IOS XE zero-days
Cisco started issuing security updates for the exploited Cisco IOS XE vulnerabilities as the campaign unfolded. The updates began on October 22, 2023, according to the reference.
Oct 1, 2023
Cisco Talos identifies backdoor implant and chained CVEs in campaign
Cisco Talos reported that compromised Cisco IOS XE devices contained unauthorized user accounts and a backdoor malware implant. It later identified the campaign as exploiting both CVE-2023-20198 and CVE-2023-20273.
Oct 1, 2023
Attackers exploit Cisco IOS XE zero-day via exposed Web GUI
A critical intrusion campaign targeted Cisco IOS XE devices whose Web GUI was exposed to the public internet. The exploitation allowed attackers to create a full administrator account, take control of affected routers, switches, and access points, and install malware.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
1 months ago
Cisco IOS XR CLI Privilege Escalation Vulnerabilities Enabling Root Command Execution
Cisco released fixes for **two high-severity privilege-escalation vulnerabilities** in **Cisco IOS XR Software** that could allow an **authenticated, local, low-privileged user** to elevate privileges and either execute arbitrary commands as **root** or obtain full administrative control of affected routing devices. The issues were identified during Cisco internal testing and are described as independent flaws (exploitation of one is not required to exploit the other); Cisco provided software updates to remediate affected versions. One flaw, **CVE-2026-20040**, is caused by insufficient validation of user-supplied arguments to certain *CLI* commands, enabling crafted input to result in root-level command execution. The second, **CVE-2026-20046**, stems from incorrect mapping of a CLI command to task groups, allowing bypass of task-group authorization checks and granting administrative control; it specifically impacts **IOS XRv 9000**. Canada’s Centre for Cyber Security highlighted Cisco’s broader advisory set (AV26-223), which includes these **IOS XR CLI privilege escalation vulnerabilities** alongside other IOS XR denial-of-service issues and web vulnerabilities in Cisco contact center products, and urged organizations to apply vendor updates as they become available.
3 weeks ago
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
2 weeks ago