Ssh-2.0-cisco-1.25 Vulnerability Info

Banner 1.25 typically maps to:

IOS 12.2(33) – 12.4(24)T
IOS 15.0(1)M – 15.1(3)T

Check if device is end-of-life (most are).

The vulnerability fingerprint disappears only when you upgrade to a patched Cisco IOS/NX-OS release.

After upgrade, verify the new banner (which should be something like SSH-2.0-Cisco-2.0 or SSH-2.0-Cisco-1.99).

If you are required to submit this as a formal paper for academic or professional use, I strongly recommend that you:

Would you like me to help you instead:

The string "SSH-2.0-Cisco-1.25" is a version identifier frequently returned by the Secure Shell (SSH) server on Cisco IOS and IOS XE devices during a protocol handshake. While this specific string describes the Cisco implementation of the SSH-2.0 protocol rather than a single vulnerability, devices reporting this version have recently been linked to a maximum-severity flaw (CVSS 10.0) in the underlying Erlang/OTP SSH server implementation. The Critical Erlang/OTP SSH Vulnerability

In April 2025, a critical vulnerability was disclosed affecting the Erlang/OTP SSH server, which is embedded in various Cisco products and telecommunications systems.

Severity: Classified with a CVSS v3.1 score of 10.0, indicating maximum severity.

Mechanism: The flaw exists in the handling of SSH protocol messages during the authentication phase. An unauthenticated, remote attacker can send specific connection protocol messages before authentication is completed.

Impact: A successful exploit allows for unauthenticated remote code execution (RCE) on the target system. This can lead to full system compromise, including unauthorized data access and denial of service (DoS). ssh-2.0-cisco-1.25 vulnerability

Exploitation: Cisco’s Product Security Incident Response Team (PSIRT) noted attempted exploitation of this vulnerability in the wild as of June 2025. Exposure and Attack Surface

Security research reports from April 2025 highlighted significant global exposure for devices identifying as "SSH-2.0-Cisco-1.25". Shodan: Approximately 92,000 exposed instances found. Censys: Over 103,000 instances identified. FOFA: Up to 309,000 instances detected. Related Historical Vulnerabilities

Older Cisco SSH implementations, including those that may return the 1.25 identifier, have been subject to other notable security advisories: What is Cisco-1.25 in ssh logging.

0 Helpful. Georg Pauwen. VIP Alumni. ‎02-16-2021 12:30 AM. Hello, I think the '1.25' part is the Cisco specific vendor version ID. Cisco Community SSH Terrapin Prefix Truncation Weakness - Cisco Community

The identifier SSH-2.0-Cisco-1.25 is not a specific vulnerability itself, but rather the version banner that a Cisco device sends to identify its SSH software. Banner 1

If your vulnerability scanner flagged this banner, it is likely highlighting the Terrapin Attack (CVE-2023-48795), which affects various Cisco SSH implementations including the version identified by that banner. 🛡️ Vulnerability Report: SSH Terrapin Attack 1. Description

The Terrapin Attack is a prefix truncation weakness in the SSH protocol. It allows a Man-in-the-Middle (MitM) attacker to delete messages during the initial handshake without the client or server noticing. SSH Terrapin Prefix Truncation Weakness - Cisco Community

As of this writing, a query for "SSH-2.0-Cisco-1.25" on Shodan reveals approximately 45,000 to 60,000 devices directly exposed to the public internet. The geographic distribution is alarming:

Many of these devices belong to industrial control systems (ICS), building automation, and small enterprise routers. The majority are running firmware from 2008–2012 and have not been patched in over a decade.

Why are they still online? Legacy operational technology (OT) environments fear downtime more than security. A router that controls a pipeline cannot be rebooted for a patch without a maintenance window that may not exist for months. Check if device is end-of-life (most are)