Thursday, September 25, 2025

 


CVE-2025-20352: Exposed SNMP is “not a vuln”? 0kk...

It’s just a friendly UDP oracle telling strangers what your routers are, how old they are, and whether they like to take naps when prodded. Totally fine.

CVE-2025-20352 lives in Cisco IOS/IOS XE’s SNMP stack. Crafted packets + creds = sad router. While everyone argues about advisory footnotes, we do the boring part: find what talks SNMP with default communities and tag what looks at risk.

https://github.com/scadastrangelove/CVE-2025-20352 

Tools you already know

  • onesixtyone — fast sweep for UDP/161 with a tiny wordlist (public, private).

  • parser — one Python script that reads sysDescr.0, says “Cisco or not,” pulls version, and stamps: Fixed / Potentially Vulnerable / Not Cisco.

30 seconds of honesty

sudo apt update && sudo apt install -y onesixtyone snmp python3
printf "public\nprivate\n" > communities.txt

# scan your ranges (edit!)
onesixtyone -c communities.txt 192.168.2.0/24 10.1.2.0/24 | tee snmp_raw.txt

# parse banners to CSV
python3 ios_cve20352_parser.py < snmp_raw.txt > parsed.csv
column -s, -t < parsed.csv | less -S

Anything Cisco IOS/IOS XE not on your fixed list? call it Potentially Vulnerable and move it up the patch queue. SNMPv3-only, tight ACLs, recent code? you sleep better.

Rituals that still work

  • kill v1/v2c where you can,

  • if not, change the communities,

  • ACL SNMP to managers only,

  • upgrade per the checker, not the rumor mill.

We aren’t dropping 0day confetti here. We’re just counting who left the management port on the porch light.
SNMP isn’t a vuln? okay. It’s a signal. Listen.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)