CISCO-SA-SG350-SNMP-DOS-GEFZR2TJ
Vulnerability from csaf_cisco - Published: 2026-05-06 16:00 - Updated: 2026-05-06 16:00Summary
Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vulnerability
Notes
Summary: A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.
This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system.
Cisco has not released and will not release software updates that address this vulnerability because the affected products are past the date for End of Software Maintenance Releases. The Cisco Product Security Incident Response Team (PSIRT) will continue to evaluate and disclose security vulnerabilities that affect these products until the Last Date of Support is reached.
There are no workarounds that address this vulnerability. However, there is a mitigation.
Vulnerable Products: This vulnerability affects the following Cisco products if they are running Cisco SG350 and SG350X Series Managed Switch Firmware Release 2.5.9.54 or 2.5.9.55 and have two or more 60-watt Power over Ethernet (PoE) ports enabled:
SG350-28P Switches
SG350-28MP Switches
SG350-52P Switches
SG350-52MP Switches
SG350X Series Switches
Determine the Device Configuration
To determine whether a device has SNMPv1 or v2c enabled, use the show running-config | include snmp-server community CLI command. If there is output, SNMP is enabled, as shown in the following example:
Switch# show running-config | include snmp-server community
snmp-server community public ro
To determine whether a device has SNMPv3 enabled, use the show running-config | include snmp-server group and show snmp user CLI commands. If there is output from both commands, SNMPv3 is enabled, as shown in the following example:
Switch# show running-config | include snmp-server group
snmp-server group v3group v3 noauth
Switch# show snmp user
User name: remoteuser1
Engine ID: 800000090300EE01E71C178C
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: v3group
To determine whether a device has 60 Watt PoE ports enabled, use the show running-config | include interface|power inline limit 60000. There must be two or more 60-watt ports configured, as shown in the following example:
Switch# show running-config | include interface|power inline limit 60000
interface vlan 1
interface vlan 10
interface FiveGigabitEthernet1/0/5
power inline limit 60000
interface FiveGigabitEthernet1/0/6
power inline limit 60000
Products Confirmed Not Vulnerable: Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
Workarounds: There are no workarounds that address this vulnerability. However, as a mitigation, administrators may disable the vulnerable object ID (OID) on a device.
To disable and exclude the OID, complete the following steps:
1. Create a new SNMP view excluding the affected OID. Use the following commands:
snmp-server view SNMP_DOS iso included
snmp-server view SNMP_DOS rlPethPsePortTable excluded
2. Apply the view to the SNMP community or SNMP v3 group:
For SNMP v1 or v2c, apply this configuration to all configured community strings. Use the following command:
snmp-server community mycomm view SNMP_DOS RO
For SNMPv3, apply this to all configured SNMP users. Use the following command:
snmp-server group v3group v3 auth read SNMP_DOS write SNMP_DOS
Fixed Software: Cisco SG350 and SG350X are past their respective dates for End of Software Maintenance Releases. For this reason, Cisco has not released and will not release software updates to address the vulnerability that is described in this advisory. Customers are advised to refer to the end-of-life notices for these products:
End-of-Sale and End-of-Life Announcement for the Cisco 350 Series Managed Switches ["https://www.cisco.com/c/en/us/products/collateral/switches/350-series-managed-switches/350-series-managed-switches-eol.html"]
End-of-Sale and End-of-Life Announcement for the Cisco 350X Series Stackable Managed Switches ["https://www.cisco.com/c/en/us/products/collateral/switches/350x-series-stackable-managed-switches/eos-eol-notice-c51-2442212.html"]
When considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that any new product will be sufficient for their network needs and that current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability Policy: To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements: The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source: Cisco would like to thank security researcher Ryan Moore for reporting this vulnerability.
Legal Disclaimer: SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads ["https://www.cisco.com/c/en/us/support/index.html"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories ["https://www.cisco.com/go/psirt"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] for more information.
7.7 (High)
Vendor Fix
Cisco has released software updates that address this vulnerability.
https://software.cisco.com
References
Acknowledgments
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank security researcher Ryan Moore for reporting this vulnerability."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r\nThis vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\r\n\r\nThis vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system.\r\n\r\nCisco has not released and will not release software updates that address this vulnerability because the affected products are past the date for End of Software Maintenance Releases. The Cisco Product Security Incident Response Team (PSIRT) will continue to evaluate and disclose security vulnerabilities that affect these products until the Last Date of Support is reached.\r\n\r\nThere are no workarounds that address this vulnerability. However, there is a mitigation.\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "This vulnerability affects the following Cisco products if they are running Cisco SG350 and SG350X Series Managed Switch Firmware Release 2.5.9.54 or 2.5.9.55 and have two or more 60-watt Power over Ethernet (PoE) ports enabled:\r\n\r\nSG350-28P Switches\r\nSG350-28MP Switches\r\nSG350-52P Switches\r\nSG350-52MP Switches\r\nSG350X Series Switches\r\n Determine the Device Configuration\r\nTo determine whether a device has SNMPv1 or v2c enabled, use the show running-config | include snmp-server community CLI command. If there is output, SNMP is enabled, as shown in the following example:\r\n\r\n\r\nSwitch# show running-config | include snmp-server community\r\nsnmp-server community public ro\r\n\r\nTo determine whether a device has SNMPv3 enabled, use the show running-config | include snmp-server group and show snmp user CLI commands. If there is output from both commands, SNMPv3 is enabled, as shown in the following example:\r\n\r\n\r\nSwitch# show running-config | include snmp-server group\r\nsnmp-server group v3group v3 noauth\r\n\r\nSwitch# show snmp user\r\nUser name: remoteuser1\r\nEngine ID: 800000090300EE01E71C178C\r\nstorage-type: nonvolatile active\r\nAuthentication Protocol: SHA\r\nPrivacy Protocol: None\r\nGroup-name: v3group\r\n\r\nTo determine whether a device has 60 Watt PoE ports enabled, use the show running-config | include interface|power inline limit 60000. There must be two or more 60-watt ports configured, as shown in the following example:\r\n\r\n\r\nSwitch# show running-config | include interface|power inline limit 60000\r\n\r\ninterface vlan 1\r\ninterface vlan 10\r\ninterface FiveGigabitEthernet1/0/5\r\n power inline limit 60000\r\ninterface FiveGigabitEthernet1/0/6\r\n power inline limit 60000",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "There are no workarounds that address this vulnerability. However, as a mitigation, administrators may disable the vulnerable object ID (OID) on a device.\r\n\r\nTo disable and exclude the OID, complete the following steps:\r\n\r\n1. Create a new SNMP view excluding the affected OID. Use the following commands:\r\n\r\n\r\nsnmp-server view SNMP_DOS iso included\r\nsnmp-server view SNMP_DOS rlPethPsePortTable excluded\r\n\r\n2. Apply the view to the SNMP community or SNMP v3 group:\r\n\r\nFor SNMP v1 or v2c, apply this configuration to all configured community strings. Use the following command:\r\n\r\n\r\nsnmp-server community mycomm view SNMP_DOS RO\r\n\r\nFor SNMPv3, apply this to all configured SNMP users. Use the following command:\r\n\r\n\r\nsnmp-server group v3group v3 auth read SNMP_DOS write SNMP_DOS",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco SG350 and SG350X are past their respective dates for End of Software Maintenance Releases. For this reason, Cisco has not released and will not release software updates to address the vulnerability that is described in this advisory. Customers are advised to refer to the end-of-life notices for these products:\r\n\r\nEnd-of-Sale and End-of-Life Announcement for the Cisco 350 Series Managed Switches [\"https://www.cisco.com/c/en/us/products/collateral/switches/350-series-managed-switches/350-series-managed-switches-eol.html\"]\r\n\r\nEnd-of-Sale and End-of-Life Announcement for the Cisco 350X Series Stackable Managed Switches [\"https://www.cisco.com/c/en/us/products/collateral/switches/350x-series-stackable-managed-switches/eos-eol-notice-c51-2442212.html\"]\r\n\r\nWhen considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that any new product will be sufficient for their network needs and that current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank security researcher Ryan Moore for reporting this vulnerability.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT\r\n\r\nThe Cisco Support and Downloads [\"https://www.cisco.com/c/en/us/support/index.html\"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories [\"https://www.cisco.com/go/psirt\"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"] or their contracted maintenance providers.\r\nLEGAL DISCLAIMER DETAILS\r\n\r\nCISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nCopies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] for more information.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg350-snmp-dos-GEFZr2Tj"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "End-of-Sale and End-of-Life Announcement for the Cisco 350 Series Managed Switches",
"url": "https://www.cisco.com/c/en/us/products/collateral/switches/350-series-managed-switches/350-series-managed-switches-eol.html"
},
{
"category": "external",
"summary": "End-of-Sale and End-of-Life Announcement for the Cisco 350X Series Stackable Managed Switches",
"url": "https://www.cisco.com/c/en/us/products/collateral/switches/350x-series-stackable-managed-switches/eos-eol-notice-c51-2442212.html"
},
{
"category": "external",
"summary": "Cisco Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "Cisco Support and Downloads",
"url": "https://www.cisco.com/c/en/us/support/index.html"
},
{
"category": "external",
"summary": "Cisco Technical Assistance Center (TAC)",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
}
],
"title": "Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vulnerability",
"tracking": {
"current_release_date": "2026-05-06T16:00:00+00:00",
"generator": {
"date": "2026-05-06T15:56:26+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-sg350-snmp-dos-GEFZr2Tj",
"initial_release_date": "2026-05-06T16:00:00+00:00",
"revision_history": [
{
"date": "2026-05-06T15:56:10+00:00",
"number": "1.0.0",
"summary": "Initial public release."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Small Business Smart and Managed Switches",
"product": {
"name": "Cisco Small Business Smart and Managed Switches ",
"product_id": "CSAFPID-278027"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-20185",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwt39853"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-278027"
]
},
"release_date": "2026-05-06T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-278027"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-278027"
]
}
],
"title": "Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vunerability"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…