Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco IOS XE SD-WAN Software Packet Filtering Bypass Vulnerability

cisco-sa-snmp-bypass-HHUVujdn · Medium · Published · Updated

A vulnerability in the packet filtering features of Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to bypass Layer 3 and Layer 4 traffic filters.  This vulnerability is due to improper traffic filtering conditions on an affected device. An attacker could exploit this vulnerability by sending a crafted packet to the affected device. A successful exploit could allow the attacker to bypass the Layer 3 and Layer 4 traffic filters and inject a crafted packet into the network. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-bypass-HHUVujdn This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Cisco advisory · CSAF JSON

Workarounds

There is a workaround that addresses this vulnerability.

To remediate this issue, make one of the following changes from the Cisco SD-WAN Manager interface:

Configure an extended access control list (ACL) to block and allow specific ingress and egress traffic to and from the device. For instructions, see Configure ACL to Block/Match Traffic on cEdges with vManage Policy ["https://www.cisco.com/c/en/us/support/docs/routers/catalyst-8000v-edge-software/218102-configure-acl-to-block-match-traffic-on.html"].
Configure a device access policy to be pushed down to the edge devices to block unsolicited SNMP traffic. When configuring the policy, consider that SNMPv3 authorization must happen before any response is sent to a host that sends a request. For instructions, see the Device Access Policy ["https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/device-access-policy.html"] chapter of the Cisco Catalyst SD-WAN Policies Configuration Guide.

If the device is not in Controller mode or the device does not have SD-WAN enabled, the device is not affected by this vulnerability.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2025-20221
Cisco Bug IDsCSCwn25087
CVSS ScoreBase 5.3
Base 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco IOS XE Software 17.1.1, Cisco IOS XE Software 17.1.1s, Cisco IOS XE Software 17.1.2, Cisco IOS XE Software 17.1.1t, Cisco IOS XE Software 17.1.3, Cisco IOS XE Software 17.2.1, Cisco IOS XE Software 17.2.1r, Cisco IOS XE Software 17.2.1a, Cisco IOS XE Software 17.2.1v, Cisco IOS XE Software 17.2.2, Cisco IOS XE Software 17.2.3, Cisco IOS XE Software 17.3.1, Cisco IOS XE Software 17.3.2, Cisco IOS XE Software 17.3.3, Cisco IOS XE Software 17.3.1a, Cisco IOS XE Software 17.3.2a, Cisco IOS XE Software 17.3.4, Cisco IOS XE Software 17.3.5, Cisco IOS XE Software 17.3.4a, Cisco IOS XE Software 17.3.6, Cisco IOS XE Software 17.3.7, Cisco IOS XE Software 17.3.8, Cisco IOS XE Software 17.3.8a, Cisco IOS XE Software 17.4.1, Cisco IOS XE Software 17.4.2, Cisco IOS XE Software 17.4.1a, Cisco IOS XE Software 17.4.1b, Cisco IOS XE Software 17.5.1, Cisco IOS XE Software 17.5.1a, Cisco IOS XE Software 17.5.1b, Cisco IOS XE Software 17.5.1c, Cisco IOS XE Software 17.6.1, Cisco IOS XE Software 17.6.2, Cisco IOS XE Software 17.6.1a, Cisco IOS XE Software 17.6.3, Cisco IOS XE Software 17.6.1y, Cisco IOS XE Software 17.6.3a, Cisco IOS XE Software 17.6.4, Cisco IOS XE Software 17.6.5, Cisco IOS XE Software 17.6.6, Cisco IOS XE Software 17.6.6a, Cisco IOS XE Software 17.6.5a, Cisco IOS XE Software 17.6.7, Cisco IOS XE Software 17.6.8, Cisco IOS XE Software 17.6.8a, Cisco IOS XE Software 17.7.1, Cisco IOS XE Software 17.7.1a, Cisco IOS XE Software 17.7.2, Cisco IOS XE Software 17.10.1, Cisco IOS XE Software 17.10.1a, Cisco IOS XE Software 17.10.1b, Cisco IOS XE Software 17.8.1, Cisco IOS XE Software 17.8.1a, Cisco IOS XE Software 17.9.1, Cisco IOS XE Software 17.9.2, Cisco IOS XE Software 17.9.1a, Cisco IOS XE Software 17.9.3, Cisco IOS XE Software 17.9.2a, Cisco IOS XE Software 17.9.3a, Cisco IOS XE Software 17.9.4, Cisco IOS XE Software 17.9.5, Cisco IOS XE Software 17.9.4a, Cisco IOS XE Software 17.9.5a, Cisco IOS XE Software 17.9.5b, Cisco IOS XE Software 17.9.6, Cisco IOS XE Software 17.9.5d, Cisco IOS XE Software 17.9.6a, Cisco IOS XE Software 17.9.5e, Cisco IOS XE Software 17.9.5f, Cisco IOS XE Software 17.11.1, Cisco IOS XE Software 17.11.1a, Cisco IOS XE Software 17.12.1, Cisco IOS XE Software 17.12.1a, Cisco IOS XE Software 17.12.2, Cisco IOS XE Software 17.12.3, Cisco IOS XE Software 17.12.4, Cisco IOS XE Software 17.12.3a, Cisco IOS XE Software 17.12.4a, Cisco IOS XE Software 17.12.4b, Cisco IOS XE Software 17.13.1, Cisco IOS XE Software 17.13.1a, Cisco IOS XE Software 17.14.1, Cisco IOS XE Software 17.14.1a, Cisco IOS XE Software 17.15.1, Cisco IOS XE Software 17.15.1a, Cisco IOS XE Software 17.15.2, Cisco IOS XE Software 17.15.2c, Cisco IOS XE Software 17.16.1, Cisco IOS XE Software 17.16.1a, Cisco IOS, Cisco IOS XE Software

Related Products

Product CVE Evidence
Cisco IOS CVE-2025-20221 Cisco OpenVuln
Cisco IOS XE Software CVE-2025-20221 Cisco OpenVuln
Cisco Catalyst 9600 Series Switches CVE-2025-20221 Cisco OpenVuln · software-dependent
Cisco Catalyst 9500 Series Switches CVE-2025-20221 Cisco OpenVuln · software-dependent
Cisco Catalyst 9400 Series Switches CVE-2025-20221 Cisco OpenVuln · software-dependent
Cisco Catalyst 9200 Series Switches CVE-2025-20221 Cisco OpenVuln · software-dependent
Cisco Catalyst 9300 Series Switches CVE-2025-20221 Cisco OpenVuln · software-dependent