Cisco Security Advisory
Cisco IOS and IOS XE Software SNMPv3 Configuration Restriction Vulnerability
Click Icon to Copy Verbose Score
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
-
A vulnerability in the implementation of the Simple Network Management Protocol Version 3 (SNMPv3) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to poll an affected device using SNMP, even if the device is configured to deny SNMP traffic from an unauthorized source or the SNMPv3 username is removed from the configuration.
This vulnerability exists because of the way that the SNMPv3 configuration is stored in the Cisco IOS Software and Cisco IOS XE Software startup configuration. An attacker could exploit this vulnerability by polling an affected device from a source address that should have been denied. A successful exploit could allow the attacker to perform SNMP operations from a source that should be denied.
Note: The attacker has no control of the SNMPv3 configuration. To exploit this vulnerability, the attacker must have valid SNMPv3 user credentials.
For more information, see the Details section of this advisory.
Cisco has not released software updates that address this vulnerability. However, there is a new method for configuring SNMPv3 so that it will not be affected by this vulnerability. There are workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmpv3-qKEYvzsyThis advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.
-
Vulnerable Products
At the time of publication, this vulnerability affected all releases of Cisco IOS and IOS XE Software if the SNMPv3 feature was configured.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Determine the Device Configuration
To determine if a device has an affected configuration, use the mapping table in the Details section of this advisory. If the length of the configuration line exceeds 255 characters, the device is affected.
Administrators can also check the output of show snmp user username to see if the access-list name is defined as expected. For example, an administrator could configure a device as follows:
Router# configure terminal
Router(config)#snmp-server user SNMP256 SNMPV3_READ v3 auth sha auth1234567890xxxxx priv aes 256 encr1234567890xxxxx access ACL-EXAMPLE-ALLOW_SNMP
Router(config)#end
Router#show snmp user SNMP256
User name: SNMP256
Engine ID: 80000009030074A2E6831A01
storage-type: nonvolatile active access-list: ACL-EXAMPLE-ALLOW_SNMP
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: SNMPV3_READ
Router#In the preceding example, everything appears normal, and the system would function correctly. However, if the system reloaded, upon starting it back up and using the same command, the administrator would see the following output:
Router#show snmp user SNMP256
User name: SNMP256
Engine ID: 80000009030074A2E6831A01
storage-type: nonvolatile active access-list: ACL-EXAMPLE-ALLOW_S
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: SNMPV3_READ
Router#In the preceding example, the access control list (ACL) name has been truncated. Because the ACL name does not exist in the configuration, it will not be enforced, leaving the SNMPv3 user without an ACL.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- IOS XR Software
- Meraki products
- NX-OS Software
-
When an administrator configures an SNMPv3 user on the configuration CLI and saves the configuration, it is written to a startup configuration file. The strings for both authentication and privacy protocols are converted to fixed-length octets that are separated by colons. A keyword, encrypted, is also added.
This can dramatically increase the length of the stored configuration, as shown in the following table:
Auth: MD5: 47 char to store
SHA1: 59 char to store
SHA256: 71 char to store
SHA384: 95 char to store
SHA512: 143 char to store
Priv: 3DES: 95 char to store
AES128: 47 char to store
AES192: 71 char to store
AES256: 95 char to storeIf, after the conversion to octets, the configuration line exceeds 255 characters, it may be truncated or not accepted when it is read back into the running configuration after a device reload.
For example, the SNMPv3 configuration could be as follows:
snmp-server user SNMP256 SNMPV3_READ v3 auth sha auth1234567890xxxxx priv aes 256 encr1234567890xxxxx access ACL-EXAMPLE-ALLOW_SNMP
The SNMPv3 configuration would be transposed to the following in the startup configuration (octets intentionally left as 00):
snmp-server user SNMP256 SNMPV3_READ v3 encrypted auth sha 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 priv aes 256 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 access ACL-EXAMPLE-ALLOW_SNMPThe startup configuration in this example is 258 characters, which exceeds the 255 limit. Upon reload, the last three characters of the configuration string would be removed, resulting in an incorrect ACL configuration. This means no ACL is applied.
-
There is a workaround that addresses this vulnerability.
To ensure that the SNMPv3 configuration that is written to the startup configuration is 255 characters or less, use one of the following methods:
- Move the IPv4 ACL name, the IPv6 ACL name, or both to be attached to the SNMPv3 group name instead of being attached to the username.
- Shorten the combination of the user, group, and ACL names.
While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
Cisco does not plan to release a fix that addresses this vulnerability.
However, Cisco IOS XE Software releases 17.15.3 and 17.17.1 introduce a new method of configuring SNMPv3 that uses type 6 encryption, so the user configuration is visible in the CLI, which gets around the limitation that is described in this advisory. Upgrading to Release 17.15.3 or Release 17.17.1 will not automatically convert the SNMPv3 configuration. Administrators must reconfigure SNMPv3 using type 6 encryption, as shown in the following example:
Router#configure terminal
Router(config)#password encryption aes
Router(config)#key config-key password-encrypt Example!23
Router(config)#do show run | include snmp
Router(config)#snmp-server user test gp v3 auth sha-2 512 0 cisco1234 priv aes 128 0 cisco1234
Router(config)#do show run | include snmp
snmp-server user test gp v3 auth sha-2 512 6 GhN\ieUbTWDHFZigBYOB\eROcbV\]RLXfAAB priv aes 128 6 S`bUVJWXiYbfKMf[Vd_]_LVhSHJFghUSNAAB
Router(config)#snmp-server user testUser1 PSIRTGroup v3 auth sha-2 512 0 cisco1234 priv aes 128 0 cisco1234 access ipv6 IPV6_ACL_SNMP
Router(config)#do sho run | include snmp
snmp-server user test gp v3 auth sha-2 512 6 GhN\ieUbTWDHFZigBYOB\eROcbV\]RLXfAAB priv aes 128 6 S`bUVJWXiYbfKMf[Vd_]_LVhSHJFghUSNAAB
snmp-server user testUser1 PSIRTGroup v3 auth sha-2 512 6 RJ^DfTEg[TRTBbFHTK\fcaGPdB]ZENXFGAAB priv aes 128 6 bfcMY[QGYZKPSdHKc_`eOEeEKUbD]KEbEAAB access ipv6 IPV6_ACL_SNMP
Router(config)#
-
Customers who are using SNMPv3 should validate the configuration to ensure it does not exceed the 255-character limit.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was found during the resolution of a Cisco TAC support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial public release. - Final 2025-MAY-07
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.