Actively Exploited Cisco IOS Zero-Day: CVE-2025-20352 (CVSS 7.7)

Estimated reading time: 8 minutes

Key Takeaways:

  • Critical zero-day vulnerability (CVE-2025-20352) actively exploited in Cisco IOS and IOS XE.
  • GoAnywhere MFT vulnerability (CVE-2025-10035) allows for command injection and potential system takeover.
  • MuddyWater intrusion campaign exploits SharePoint vulnerability (CVE-2025-53770).
  • Immediate patching, configuration review, and suspicious activity monitoring are crucial.

Table of Contents:

Actively Exploited Cisco IOS Zero-Day: CVE-2025-20352 (CVSS 7.7)

A critical zero-day vulnerability, identified as CVE-2025-20352, is currently being actively exploited in Cisco IOS and IOS XE software. This vulnerability impacts the Simple Network Management Protocol (SNMP) subsystem and can enable denial-of-service attacks and remote code execution, depending on the attacker’s privilege level. Understanding the specifics of this vulnerability and its potential impact is critical for maintaining network security.

SNMP Stack Overflow: A Deep Dive into CVE-2025-20352

The root cause of CVE-2025-20352 is a stack overflow condition within the SNMP subsystem, affecting all SNMP protocol implementations on vulnerable Cisco devices. An attacker can exploit this by sending specially crafted SNMP packets over IPv4 or IPv6 networks. The impact varies based on the attacker’s access:

  • Low-Privilege Attackers: Those with SNMPv2c read-only community strings or valid SNMPv3 user credentials can trigger a denial-of-service (DoS) condition. This causes affected systems to reload, disrupting network operations.
  • High-Privilege Attackers: Attackers combining SNMPv1 or v2c read-only community strings with administrative or privilege 15 credentials can achieve remote code execution as the root user. This grants complete control over compromised systems.

Network admin analyzing SNMP stack overflow exploit in Cisco IOS

The vulnerability affects a range of Cisco devices running vulnerable IOS and IOS XE software releases. This includes Meraki MS390 and Cisco Catalyst 9300 Series switches running Meraki CS 17 and earlier versions. If SNMP is enabled, Cisco confirms that devices should be considered vulnerable unless the affected Object Identifier (OID) is explicitly excluded.

Administrators can verify SNMP configuration using CLI commands. For SNMPv1 and v2c, the show running-config include snmp-server community command will indicate if SNMP is enabled. For SNMPv3, the show running-config include snmp-server group and show snmp user commands can be used.

Cisco’s Product Security Incident Response Team (PSIRT) has confirmed active exploitation of this vulnerability following the compromise of local administrator credentials. These attacks were identified during the resolution of a Technical Assistance Center support case, demonstrating the real-world risk posed by CVE-2025-20352.

The vulnerability has a CVSS 3.1 base score of 7.7, indicating high severity. Its attack vector is Network, with Low complexity and a Changed scope. The underlying issue is categorized under CWE-121 for stack-based buffer overflow conditions.

Cisco has released software updates to address this vulnerability and recommends immediate upgrades to fixed releases. No workarounds are available, but administrators can mitigate the risk by disabling affected OIDs and restricting SNMP access to trusted users. The show snmp host command can be used to monitor affected systems.

GoAnywhere MFT Vulnerability: CVE-2025-10035

A critical vulnerability, CVE-2025-10035, with a CVSS score of 10.0, has been identified in Fortra’s GoAnywhere Managed File Transfer (MFT) solution. This vulnerability, a deserialization flaw in the License Servlet, allows for command injection and potential system takeover.

The vulnerability stems from how GoAnywhere MFT handles license checks. A malicious actor can exploit this during the deserialization process by using a forged license response signature to load a harmful object. This can result in command injection, allowing the attacker to execute their own code on the system.

Given that GoAnywhere MFT is used by organizations, including Fortune 500 companies, to automate and protect data exchange, this vulnerability poses a significant risk to sensitive corporate and government data.

According to an analysis by watchTowr Labs, there are over 20,000 instances of GoAnywhere MFT exposed to the internet, making it a prime target for threat actors. While exploiting the vulnerability may seem difficult due to a signature verification check, the high CVSS score suggests a real and significant threat.

This is not the first time GoAnywhere MFT has been targeted. In 2023, a similar pre-authentication command injection flaw (CVE-2023-0669) was exploited by the Cl0p ransomware gang.

Fortra has released updates in version 7.8.4 and Sustain Release 7.6.3 to address CVE-2025-10035. Organizations are urged to upgrade to these patched versions immediately. As an additional precaution, administrators should ensure the GoAnywhere Admin Console is not publicly accessible and should consider placing the service behind a firewall or VPN.

MuddyWater Intrusion: Exploitation of SharePoint

In late August 2025, an incident response team investigated suspicious activity within a customer’s network in South Asia. The investigation revealed a targeted intrusion by MuddyWater, a threat actor linked to the Iranian Ministry of Intelligence and Security (MOIS).

The attacker used a PowerShell-based malware, legitimate remote monitoring and management (RMM) tools, and living-off-the-land techniques. The attack started with the exploitation of the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770). The attacker exploited this vulnerability to execute commands on the system. They initially attempted to download a PowerShell RAT but, upon failure, dropped file-management webshells. These webshells allowed them to upload, download, and delete files on the file system.

As part of their post-exploitation activity, the attacker dropped and used the GodPotato privilege escalation tool to gain SYSTEM-level access. This allowed them to dump the LSASS process and extract credentials, leading to the compromise of a privileged domain account.

The attacker then deployed PDQ Connect and AnyDesk for persistence and control. They created new user accounts, added them to privileged groups, and configured AnyDesk for unattended access. These tools allowed the attacker to push tools and payloads onto compromised hosts.

The attacker used native Windows tools and PowerShell cmdlets for reconnaissance, using commands such as ping, whoami, quser, Test-NetConnection, and netstat.

Lateral movement was achieved using a combination of SMB-based remote execution and Windows Management Instrumentation (WMI). The attacker used a PowerShell implementation of Invoke-SMBExec to execute commands on remote systems. They also made multiple attempts to execute malware via PowerShell one-liners.

A custom tunneling tool was used to pivot and access internal systems. The attacker used this tunnel to interact with RDP and SMB services, leaving behind Security event logs (EventID 4624) on the target systems.

Finally, the attacker used the SharePoint web server as an exfiltration mechanism. They compressed sensitive credential artifacts into ZIP archives and placed them into the layouts directory of the SharePoint web application.

The PowerShell one-liners observed served as loaders for a Remote Access Trojan (RAT). A custom version of resocks was used for tunneling, establishing a TLS-encrypted tunneling proxy to route traffic to internal network hosts.

The C2 server, 195[.]20.17.189, was hosted on BlueVPS, with an IP geolocated to Israel. The server was exposing HTTP services on ports 80 and 443, with the SSL certificate on port 443 presenting the Subject Common Name (CN): pharmacynod.com. The reverse proxy callback address was 165[.]227.82.147.

Practical Takeaways

Here’s what IT pros and leadership should do now.

  • Patch Immediately: Apply the Cisco software updates for CVE-2025-20352 and the Fortra updates for CVE-2025-10035 immediately. Prioritize systems exposed to the internet.
  • Review SNMP Configuration: Audit SNMP configurations. Disable unnecessary SNMP services and restrict access to trusted users. Disable affected OIDs as a mitigation measure where patching is not immediately possible.
  • Secure RMM Tools: Ensure Remote Monitoring and Management (RMM) tools like AnyDesk and PDQ are securely configured with multi-factor authentication and access controls.
  • Monitor for Suspicious Activity: Implement monitoring for unusual PowerShell activity, lateral movement attempts, and file exfiltration from SharePoint servers. Look for unexpected processes and network connections originating from systems running SharePoint.
  • Network Segmentation: Isolate critical systems and services using network segmentation. This limits the blast radius of a successful attack.

This blog highlights the importance of several key cybersecurity services that PurpleOps specializes in:

  • Cyber Threat Intelligence: Proactive monitoring and analysis of emerging threats, including zero-day vulnerabilities and threat actor tactics, such as those used by MuddyWater. Leverage a cyber threat intelligence platform to stay ahead of potential attacks.
  • Real-Time Ransomware Intelligence: Understanding the latest ransomware attack vectors and proactively protecting against them, as demonstrated by the Cl0p ransomware gang’s exploitation of the GoAnywhere MFT vulnerability. Consider using a live ransomware API for up-to-date information.
  • Breach Detection: Implementing robust breach detection mechanisms to identify and respond to unauthorized access and lateral movement, such as the activity observed in the MuddyWater intrusion.
  • Supply-Chain Risk Monitoring: Assessing and mitigating risks associated with third-party software and services, including managed file transfer solutions like GoAnywhere MFT and open-source components.
  • Penetration Testing: Identify vulnerabilities in systems and networks, such as those exploited in the Cisco IOS and SharePoint attacks. This process is key to find weaknesses before attackers do.
  • Red Team Operations: Simulate real-world attacks to assess the effectiveness of security controls and incident response capabilities.

PurpleOps is dedicated to helping organizations enhance their cybersecurity posture. Contact us today to learn more about our services and how we can help protect your business from evolving cyber threats.

FAQ

Q: What is CVE-2025-20352 and why is it important?

A: CVE-2025-20352 is a critical zero-day vulnerability in Cisco IOS and IOS XE software that can lead to denial-of-service or remote code execution. It’s actively being exploited, making immediate patching crucial.

Q: What actions should I take to address CVE-2025-10035?

A: Upgrade GoAnywhere MFT to version 7.8.4 or Sustain Release 7.6.3 immediately. Also, ensure the Admin Console is not publicly accessible and consider placing the service behind a firewall or VPN.

Q: How can I protect against threats like the MuddyWater intrusion?

A: Implement robust monitoring for suspicious activity, secure RMM tools, segment your network, and apply patches promptly. Cyber Threat Intelligence and Breach Detection services can provide proactive protection.