ONLINE BANKING

For lost / stolen debit cards please call
, , or

ONLINE BANKING
LOGIN
M
LOGIN
For lost / stolen debit cards
please call

Ssh-2.0-cisco-1.25 Vulnerability May 2026

The string "SSH-2.0-Cisco-1.25" is a version identifier frequently returned by the Secure Shell (SSH) server on Cisco IOS and IOS XE devices during a protocol handshake. While this specific string describes the Cisco implementation of the SSH-2.0 protocol rather than a single vulnerability, devices reporting this version have recently been linked to a maximum-severity flaw (CVSS 10.0) in the underlying Erlang/OTP SSH server implementation. The Critical Erlang/OTP SSH Vulnerability

In April 2025, a critical vulnerability was disclosed affecting the Erlang/OTP SSH server, which is embedded in various Cisco products and telecommunications systems.

Severity: Classified with a CVSS v3.1 score of 10.0, indicating maximum severity.

Mechanism: The flaw exists in the handling of SSH protocol messages during the authentication phase. An unauthenticated, remote attacker can send specific connection protocol messages before authentication is completed.

Impact: A successful exploit allows for unauthenticated remote code execution (RCE) on the target system. This can lead to full system compromise, including unauthorized data access and denial of service (DoS).

Exploitation: Cisco’s Product Security Incident Response Team (PSIRT) noted attempted exploitation of this vulnerability in the wild as of June 2025. Exposure and Attack Surface

Security research reports from April 2025 highlighted significant global exposure for devices identifying as "SSH-2.0-Cisco-1.25". Shodan: Approximately 92,000 exposed instances found. Censys: Over 103,000 instances identified. FOFA: Up to 309,000 instances detected. Related Historical Vulnerabilities

Older Cisco SSH implementations, including those that may return the 1.25 identifier, have been subject to other notable security advisories: What is Cisco-1.25 in ssh logging. ssh-2.0-cisco-1.25 vulnerability

0 Helpful. Georg Pauwen. VIP Alumni. ‎02-16-2021 12:30 AM. Hello, I think the '1.25' part is the Cisco specific vendor version ID. Cisco Community SSH Terrapin Prefix Truncation Weakness - Cisco Community

The identifier SSH-2.0-Cisco-1.25 is not a specific vulnerability itself, but rather the SSH banner string that many Cisco IOS and IOS XE devices use to identify their software version during an SSH handshake. When vulnerability scanners flag this string, they are typically reporting that the device is susceptible to a broader protocol-level flaw, most commonly the Terrapin Attack (CVE-2023-48795). What is the SSH-2.0-Cisco-1.25 "Vulnerability"?

The appearance of this string in security reports usually indicates the device is running a version of Cisco software that has not yet been hardened against recent SSH exploits. There are two primary security concerns currently associated with this banner: 1. The Terrapin Attack (CVE-2023-48795)

This is a prefix truncation attack that targets the SSH protocol's integrity. CSCwi61646 - SSH Terrapin Prefix Truncation ... - Cisco Bug

The string SSH-2.0-Cisco-1.25 is a software version banner identifying the Secure Shell (SSH) server implementation used by a wide variety of Cisco products, including Catalyst switches ISR routers ASA firewalls

While the banner itself is not a vulnerability, it indicates that the device is running a specific version of Cisco's proprietary SSH code. As of early 2026, this version has been linked to several critical security flaws, most notably a recent Unauthenticated Remote Code Execution (RCE) vulnerability. Vulnerability Overview: Unauthenticated RCE A major vulnerability (tracked as cisco-sa-erlang-otp-ssh-xyZZy

) was identified in certain Cisco products using this SSH implementation. Würth Phoenix The string "SSH-2

: Allows a remote, unauthenticated attacker to execute arbitrary commands with administrative privileges.

: A flaw in how the SSH server handles specific protocol messages during the cryptographic key exchange negotiation. Affected Products

: Multiple product lines, including those running specific versions of IOS XE and other platforms that integrate the affected Erlang/OTP SSH server components. Würth Phoenix Additional Associated Risks Devices reporting Cisco-1.25

may also be susceptible to other well-documented SSH weaknesses if not fully patched: SSH Terrapin Prefix Truncation Weakness - Cisco Community

The identifier "SSH-2.0-Cisco-1.25" is not a standard CVE (Common Vulnerabilities and Exposures) number, but rather a specific SSH banner string observed on some older Cisco devices.

This banner typically indicates a Cisco device running an outdated SSH server implementation (likely from an older IOS release). The actual vulnerability most often associated with this banner is CVE-2011-1322 (and related issues like CVE-2009-4408), which concerns a weakness in Cisco’s SSH v2 implementation.

Below is a practical guide to understanding, detecting, and mitigating the risk. The Risk Profile For a penetration tester, seeing ssh-2

The Risk Profile

For a penetration tester, seeing ssh-2.0-cisco-1.25 is akin to finding an unlocked window on the ground floor.

  • The Opportunity: An attacker can use tools like searchsploit or Metasploit to identify exploits specifically for the "Cisco SSH 1.25" banner.
  • The Consequence: Because these are network infrastructure devices (routers, switches), compromise usually leads to total network control. An attacker can intercept traffic, create backdoors, or reroute traffic through malicious proxies.
  • Compliance Failure: Running software this old violates almost every major security compliance framework, including PCI-DSS, NIST, and ISO 27001.

4. Mitigation steps

5. Remediation

Short-term:

  • Restrict SSH access via ACLs (management interface only).
  • Disable weak KEX/ciphers if possible (rare on very old IOS).

Long-term:

  • Upgrade IOS to a fixed release (e.g., 15.2(4)E or 15.9(3)M).
  • Migrate to IOS-XE if hardware supports it.
  • Replace EOL hardware.

Example fixed banner after upgrade:

SSH-2.0-Cisco-2.22   (IOS 15.9)
SSH-2.0-Cisco-2.36   (IOS-XE 16.x)

2. Known Vulnerabilities Tied to This Banner

The Core Vulnerabilities: Why This String is Dangerous

The presence of ssh-2.0-cisco-1.25 is rarely a false positive for trouble. It correlates with several major security weaknesses:

Step 4 – Check for CVE-2015-6274 downgrade

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 -c 3des-cbc user@target

If it connects without warning → vulnerable.