: The simplest way to identify devices is to run an Nmap script ( -sV ) on port 22. Any response containing SSH-2.0-Cisco-1.25 should be documented for review.
Which are showing this (e.g., ASR, ISR, Catalyst)?
The identifier is not a specific vulnerability itself, but rather the version banner that a Cisco device sends to identify its SSH software .
The vulnerability affects Cisco devices running SSH-2.0-Cisco-1.25, which is a specific implementation of the SSH protocol on Cisco IOS and IOS XE devices. ssh-2.0-cisco-1.25 vulnerability
A critical vulnerability (CVSS 9.9) was also discovered in the SSH subsystem of Cisco ASA and Firepower Threat Defense (FTD) Software. This issue, due to insufficient input validation, allowed an authenticated, remote attacker to execute commands on the underlying operating system with by sending crafted input during SSH sessions.
For more information on the SSH-2.0-Cisco-1.25 vulnerability, including patches and workarounds, please refer to:
Scanning tools like Shodan and Censys have identified over globally of the "SSH-2.0-Cisco-1.25" banner. This broad exposure makes these devices prime targets for automated exploit scripts. Remediation and Best Practices : The simplest way to identify devices is
SSH-<protocol version>-<software version> <comments>
To prevent similar vulnerabilities in the future, administrators should:
If your vulnerability scanner flagged this banner, it is likely highlighting the (CVE-2023-48795), which affects various Cisco SSH implementations including the version identified by that banner. 🛡️ Vulnerability Report: SSH Terrapin Attack 1. Description The identifier is not a specific vulnerability itself,
Update your Cisco IOS/NX-OS to the latest version. You can check your status on the Cisco Bug Search Tool using your specific device model.
Router(config)# ip ssh time-out 60 Router(config)# ip ssh authentication-retries 3 Use code with caution.