Ssh-2.0-cisco-1.25 Vulnerability Work May 2026
The string SSH-2.0-Cisco-1.25 is not a specific vulnerability itself, but rather the version banner
that a Cisco device sends when a connection is initiated over port 22. Cisco Community
While the banner is a standard part of the SSH handshake, it is frequently flagged by security scanners (like Nessus or Qualys) as "potentially vulnerable" because it reveals that the device is running an older or specific version of the Cisco SSH server. Cisco Community Understanding the Banner : Indicates the device is using SSH Protocol Version 2.0. Cisco-1.25
: This is the internal version of the Cisco SSH software implementation. Cisco Community Why Scanners Flag This
Security tools often alert on this banner because it helps attackers perform fingerprinting
—identifying the exact operating system and software version to find matching exploits. Several critical vulnerabilities have affected Cisco devices running versions associated with this banner over the years: NetCom Learning SSH Terrapin Prefix Truncation Weakness - Cisco Community
The string "SSH-2.0-Cisco-1.25" is a version identifier frequently returned by the Secure Shell (SSH) server on Cisco IOS and IOS XE devices during a protocol handshake. While this specific string describes the Cisco implementation of the SSH-2.0 protocol rather than a single vulnerability, devices reporting this version have recently been linked to a maximum-severity flaw (CVSS 10.0) in the underlying Erlang/OTP SSH server implementation. The Critical Erlang/OTP SSH Vulnerability
In April 2025, a critical vulnerability was disclosed affecting the Erlang/OTP SSH server, which is embedded in various Cisco products and telecommunications systems.
Severity: Classified with a CVSS v3.1 score of 10.0, indicating maximum severity.
Mechanism: The flaw exists in the handling of SSH protocol messages during the authentication phase. An unauthenticated, remote attacker can send specific connection protocol messages before authentication is completed.
Impact: A successful exploit allows for unauthenticated remote code execution (RCE) on the target system. This can lead to full system compromise, including unauthorized data access and denial of service (DoS).
Exploitation: Cisco’s Product Security Incident Response Team (PSIRT) noted attempted exploitation of this vulnerability in the wild as of June 2025. Exposure and Attack Surface
Security research reports from April 2025 highlighted significant global exposure for devices identifying as "SSH-2.0-Cisco-1.25". Shodan: Approximately 92,000 exposed instances found. Censys: Over 103,000 instances identified. FOFA: Up to 309,000 instances detected. Related Historical Vulnerabilities
Older Cisco SSH implementations, including those that may return the 1.25 identifier, have been subject to other notable security advisories: What is Cisco-1.25 in ssh logging.
0 Helpful. Georg Pauwen. VIP Alumni. 02-16-2021 12:30 AM. Hello, I think the '1.25' part is the Cisco specific vendor version ID. Cisco Community SSH Terrapin Prefix Truncation Weakness - Cisco Community
The string SSH-2.0-Cisco-1.25 is a software version banner identifying the Secure Shell (SSH) server implementation used by a wide variety of Cisco products, including Catalyst switches ISR routers ASA firewalls ssh-2.0-cisco-1.25 vulnerability
While the banner itself is not a vulnerability, it indicates that the device is running a specific version of Cisco's proprietary SSH code. As of early 2026, this version has been linked to several critical security flaws, most notably a recent Unauthenticated Remote Code Execution (RCE) vulnerability. Vulnerability Overview: Unauthenticated RCE A major vulnerability (tracked as cisco-sa-erlang-otp-ssh-xyZZy
) was identified in certain Cisco products using this SSH implementation. Würth Phoenix
: Allows a remote, unauthenticated attacker to execute arbitrary commands with administrative privileges.
: A flaw in how the SSH server handles specific protocol messages during the cryptographic key exchange negotiation. Affected Products
: Multiple product lines, including those running specific versions of IOS XE and other platforms that integrate the affected Erlang/OTP SSH server components. Würth Phoenix Additional Associated Risks Devices reporting Cisco-1.25
may also be susceptible to other well-documented SSH weaknesses if not fully patched: SSH Terrapin Prefix Truncation Weakness - Cisco Community
SSH-2.0-Cisco-1.25 — a banner string that shows up when an SSH client probes a Cisco device — reads like a tiny mechanical signature, but it’s also an entry point into wider questions about security, disclosure, and how small protocol details can have outsized effects.
Why that banner matters
- Identification: An SSH banner reveals implementation and version hints. Tools and scanners use banners to classify devices, prioritize targets, and infer known vulnerabilities.
- Fingerprinting risk: Even absent an exploit, a banner like "SSH-2.0-Cisco-1.25" makes it trivial for an observer to identify Cisco gear running certain SSH stacks. That reduces an attacker’s reconnaissance cost.
- False comfort: Administrators sometimes assume “only the banner” is harmless. In practice, banner exposure plus other metadata can accelerate automated attacks.
The real vulnerabilities behind similar banners
- Banner ≠ vulnerability, but it can correlate to real bugs. Cisco SSH implementations historically carried several serious issues — from RSA-based auth bypasses to state-machine or exceptional-condition handling that enabled DoS (e.g., CVE entries involving Cisco SSH implementations). Attackers don’t need a novel zero-day if a known CVE maps to the disclosed implementation.
- Resource exhaustion and state-machine flaws are subtle. Some Cisco SSH flaws let an authenticated or semi-authenticated actor craft specific traffic patterns to crash or reload devices. Those are not the flashy remote code executions, but they can cause network-wide outages.
Operational trade-offs
- Hiding versus hardening: Removing or editing SSH banners reduces fingerprinting but is defensive theater if the underlying software remains vulnerable. Hardening (patching, minimizing exposure, strict auth, rate-limiting, network segmentation) provides substantive protection.
- Attack surface beyond SSH: Banner disclosure often correlates with other detectable services and outdated software; attackers use aggregated signals. Treat banner information as one of many telemetry cues, not an isolated problem.
Practical, prioritized actions
- Patch proactively: Treat advisories for SSH implementations seriously. Even DoS-class CVEs can have high operational impact.
- Minimize exposure: Limit SSH to management networks, enforce ACLs, MFA where feasible, and restrict source IPs.
- Disable weak auth methods: Remove legacy/unsupported SSH auth schemes and disable unused protocol versions.
- Rate-limit and monitor: Apply connection-rate controls and monitor for suspicious connect patterns indicative of exploitation attempts.
- Consider banner control as part of defense-in-depth: If your platform supports safe banner changes, reducing obvious fingerprinting is a low-cost additional layer — but never a substitute for patches and access controls.
A final thought That modest string—SSH-2.0-Cisco-1.25—is both a fingerprint and a narrative warp: it encapsulates how tiny protocol disclosures change attacker economics and how seemingly small implementation quirks cascade into real-world outages. Security that treats banners as trivia misses the larger lesson: resilience comes from reducing exposure, fixing root causes, and assuming attackers will connect the dots.
The string SSH-2.0-Cisco-1.25 is not a specific vulnerability itself, but rather the software version banner
that a Cisco device displays when you connect to its SSH server.
Security scanners (like Nessus or Qualys) often flag this banner because it reveals the device's operating system and version, which can help an attacker identify known vulnerabilities. Below is a breakdown of what this banner means and the actual vulnerabilities often associated with it. What is SSH-2.0-Cisco-1.25? The string SSH-2
When an SSH client connects to a Cisco router or switch, the two devices exchange "version strings" to ensure they can talk to each other.
: Indicates the device is using SSH protocol version 2.0 (more secure than 1.x). Cisco-1.25
: This is the specific internal version of the Cisco SSH server software running on the device. Why do scanners flag it? (The "Vulnerability")
Security audits often list this as a "medium" or "low" risk because of Information Disclosure
. By advertising the exact version of the SSH server, the device tells a potential attacker exactly which bugs might be exploitable on that specific system.
However, "Cisco-1.25" is found across many different IOS versions. Depending on which IOS version you are running, your device might be vulnerable to several real, documented threats: SSH Terrapin Prefix Truncation Weakness - Cisco Community
The banner SSH-2.0-Cisco-1.25 is a standard version string identifying the Secure Shell (SSH) server running on many
devices. While the banner itself is not a vulnerability, it helps attackers identify the underlying software to target specific known flaws. Cisco Community
The most critical vulnerabilities associated with Cisco SSH implementations (which often report this banner) include: Critical Vulnerabilities Authentication Bypass (CVE-2015-6280) : A flaw in the SSHv2 public key authentication
implementation allows a remote attacker to bypass authentication. By using a crafted private key, an attacker could log in with the privileges of the targeted user or the Virtual Teletype (VTY) line.
: The device must be configured for RSA-based user authentication. Remote Code Execution (CVE-2025-32433)
: Recent disclosures highlight a critical vulnerability in the Erlang/OTP SSH server
used by many modern Cisco products. It allows unauthenticated attackers to execute arbitrary code by sending specific messages before authentication occurs. Würth Phoenix Terrapin Attack (CVE-2023-48795)
: A prefix truncation weakness that allows a man-in-the-middle (MitM) attacker to downgrade connection security by bypassing integrity checks. Cisco Community Denial of Service (DoS) SSH Terrapin Prefix Truncation Weakness - Cisco Community 12 Jan 2024 —
The phrase "SSH-2.0-Cisco-1.25" is a standard identification banner sent by many Cisco devices when a remote connection is initiated. While the banner itself is not a vulnerability, it acts as a "fingerprint" that tells attackers exactly what version of the Cisco SSH software is running, which helps them target specific known flaws. The real vulnerabilities behind similar banners
Currently, the "story" for this version involves two major security concerns: 1. The Terrapin Attack (CVE-2023-48795)
Many Cisco devices using the Cisco-1.25 SSH stack were found to be vulnerable to the Terrapin attack.
The Flaw: This is a "prefix truncation" attack where a man-in-the-middle (MitM) attacker can secretly remove parts of the encrypted handshake.
The Impact: By removing these early messages, an attacker can downgrade your connection's security, turning off modern encryption features or security extensions without the user ever knowing.
Fix: Cisco has released bug fixes (e.g., CSCwi61646 for Catalyst switches) that implement a "strict key exchange" to block this attack. 2. Critical Remote Code Execution (CVE-2025-32433)
In early 2025, a critical vulnerability was identified in certain Cisco products where the SSH server was built using the Erlang/OTP library.
The Flaw: An attacker can send specific protocol messages before authenticating, exploiting a memory or logic error in how the SSH server handles early communication.
The Impact: This is a 10.0 CVSS (Maximum Severity) flaw because it allows an unauthenticated attacker to execute code remotely (RCE) on the device, potentially taking full control.
Status: While this affects many devices showing the Cisco-1.25 banner, it specifically impacts those running the Erlang-based SSH service. Summary of Risk Exposure
Over 300,000 devices globally were recently detected online with this specific banner. Main Vulnerabilities Terrapin Attack (Downgrade) and Pre-Auth RCE. Mitigation
Update your Cisco IOS/NX-OS to the latest version. You can check your status on the Cisco Bug Search Tool using your specific device model.
CSCwi64420 - SSH vulnerable to terrapin attack ... - Cisco Bug
The identifier SSH-2.0-Cisco-1.25 is not a specific vulnerability itself, but rather the version banner that a Cisco device sends to identify its SSH software.
If your vulnerability scanner flagged this banner, it is likely highlighting the Terrapin Attack (CVE-2023-48795), which affects various Cisco SSH implementations including the version identified by that banner. 🛡️ Vulnerability Report: SSH Terrapin Attack 1. Description
The Terrapin Attack is a prefix truncation weakness in the SSH protocol. It allows a Man-in-the-Middle (MitM) attacker to delete messages during the initial handshake without the client or server noticing. SSH Terrapin Prefix Truncation Weakness - Cisco Community
Quick Summary
SSH-2.0-Cisco-1.25 is not a CVE by itself — it’s a banner string identifying a Cisco IOS or IOS-XE device running an SSH server version derived from old/embedded code.
It’s often flagged in scans because:
- It’s associated with Cisco’s legacy SSHv2 implementation.
- Older versions of this banner correlate with Cisco IOS known vulnerabilities (e.g., CVE-2011-3279, CVE-2015-6274).
- It may indicate an unpatched device vulnerable to SSH algorithm downgrade or DoS.
D. End-of-Life (EOL) / End-of-Support (EOS) Risks
Devices reporting SSH-2.0-Cisco-1.25 are often running software that has reached End-of-Life. This means they no longer receive security patches for newly discovered vulnerabilities, making them a persistent security liability.
5. False positives & notes
- Some newer Cisco devices (e.g., IOS-XE, NX-OS) may also show
Cisco-1.25but are not vulnerable – the banner string was reused in some later builds. Always check the actual IOS version. - Tools like Nessus or OpenVAS might flag
SSH-2.0-Cisco-1.25as “potential vulnerability” – verify manually.
