used by many modern Cisco products. It allows unauthenticated attackers to execute arbitrary code by sending specific messages before authentication occurs. Würth Phoenix Terrapin Attack (CVE-2023-48795)
: The specific software configuration build version assigned to that device's inner SSH subsystem.
Do not rely solely on the Cisco-1.25 string. Determine the precise Cisco IOS/IOS XE version by running show version via the Command Line Interface (CLI). Use the official Cisco Software Checker tool to paste your OS string and find the exact "First Fixed" release to patch against. Step 2: Restrict SSH Access via Control Plane ACLs
0 Helpful. Georg Pauwen. VIP Alumni. 02-16-2021 12:30 AM. Hello, I think the '1.25' part is the Cisco specific vendor version ID. Cisco Community SSH Terrapin Prefix Truncation Weakness - Cisco Community
access-list 100 permit tcp <trusted-networks> any eq 22 line vty 0 4 access-class 100 in ssh-2.0-cisco-1.25 vulnerability
: This is the internal version of the Cisco SSH software implementation. Cisco Community Why Scanners Flag This
Beyond direct security vulnerabilities, the SSH-2.0-Cisco-1.25 server is notorious for several implementation quirks that primarily cause operational headaches and, in some cases, could degrade the security posture of an SSH session.
Use ACLs to restrict SSH access to only trusted source IP addresses and networks. This limits the attack surface and can mitigate many remote vulnerabilities. For Cisco devices, ACLs are a fundamental tool for management plane protection.
: The operating system vendor providing the code framework. used by many modern Cisco products
The string SSH-2.0-Cisco-1.25 is not a vulnerability itself, but rather the identifying a Cisco device's SSH service. Because this banner reveals the specific vendor and version, security scanners often flag it to suggest checking for known vulnerabilities associated with Cisco's SSH implementation.
The most critical vulnerabilities associated with Cisco SSH implementations (which often report this banner) include: Critical Vulnerabilities Authentication Bypass (CVE-2015-6280) : A flaw in the SSHv2 public key authentication
Moral: Treat unexpected SSH banners as a signal to investigate, not ignore. With containment, identification, mitigations, timely patching, and improved processes, small teams can keep critical infrastructure safe.
While the banner itself merely leaks platform data, systems reporting Cisco-1.25 code versions are historically linked to a sequence of critical vulnerabilities within Cisco IOS, IOS XE, and CatOS architectures. The primary risks include: Authentication Bypass via RSA Key Validation Do not rely solely on the Cisco-1
A significant vulnerability in the SSH version 2 protocol implementation allows unauthenticated, remote attackers to bypass user authentication. To exploit this, an attacker must know a valid username configured for RSA-based authentication.
Would you like a ready-to-use or Ansible playbook to detect and remediate this across a network?
To answer the central question: the banner SSH-2.0-Cisco-1.25 itself is not a vulnerability. No known Common Vulnerabilities and Exposures (CVE) entry is tied directly to that specific version string. It is fundamentally an informational message.
Over the years, several other vulnerabilities have been discovered in Cisco’s SSH implementation, many of which would likely present the same banner. These range from simple DoS attacks to severe authentication bypasses.