CVE-2017-3881

CRITICAL KEV NUCLEI

Cisco - Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2017-3881 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 9 public exploits from researchers including Artem Kondratenko, artkond, 1337g, including a Metasploit module auxiliary/dos/cisco/ios_telnet_rocem. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a buffer overflow in Cisco Catalyst 2960 switches to patch the execution flow, enabling credential-less telnet access with privilege level 15. It uses ROP gadgets to manipulate memory and bypass authentication.

Description

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.

Exploits (9)

exploitdb WORKING POC
by Artem Kondratenko · pythonremotehardware
https://www.exploit-db.com/exploits/41872

This exploit leverages a buffer overflow in Cisco Catalyst 2960 switches to patch the execution flow, enabling credential-less telnet access with privilege level 15. It uses ROP gadgets to manipulate memory and bypass authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Cisco Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11
No auth needed
Prerequisites: Network access to the target device · Telnet service enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Artem Kondratenko · pythonremotehardware
https://www.exploit-db.com/exploits/42122

This exploit targets CVE-2017-3881, a buffer overflow vulnerability in Cisco IOS telnet service. It uses ROP gadgets to bypass authentication and set privilege level 15 (admin) by manipulating memory structures.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Cisco IOS (multiple versions)
No auth needed
Prerequisites: Network access to target telnet service (port 23) · Vulnerable Cisco IOS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 211 stars
by artkond · remote
https://github.com/artkond/cisco-rce

This repository contains a working Proof-of-Concept exploit for CVE-2017-3881, a remote code execution vulnerability in Cisco IOS. The exploit leverages a buffer overflow in the Cisco Cluster Management Protocol (CMP) to achieve privilege escalation on Cisco Catalyst 2960 switches running specific firmware versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Cisco IOS on Cisco Catalyst 2960 switches (12.2(55)SE1, 12.2(55)SE11)
No auth needed
Prerequisites: Network access to the target device's telnet service (port 23) · Target device running vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 1337g · remote
https://github.com/1337g/CVE-2017-3881

This repository contains a working Proof-of-Concept exploit for CVE-2017-3881, a remote code execution vulnerability in Cisco IOS. The exploit leverages a buffer overflow in the Cisco Cluster Management Protocol (CMP) to achieve privilege escalation on Cisco Catalyst 2960 switches running specific firmware versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Cisco IOS on Cisco Catalyst 2960 switches (firmware versions 12.2(55)SE1 and 12.2(55)SE11)
No auth needed
Prerequisites: Network access to the target device's telnet service (port 23) · Target device running vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by homjxi0e · dos
https://github.com/homjxi0e/CVE-2017-3881-exploit-cisco-

This is a Metasploit auxiliary module that exploits CVE-2017-3881, a vulnerability in Cisco IOS and IOS XE Software's Cluster Management Protocol (CMP) processing. It triggers a Denial of Service (DoS) by sending a malformed Telnet packet to the target device.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Cisco IOS and IOS XE Software (affecting multiple Cisco switches)
No auth needed
Prerequisites: Target device configured to accept Telnet connections
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by mzakyz666 · remote
https://github.com/mzakyz666/PoC-CVE-2017-3881

This repository contains a working PoC for CVE-2017-3881, a vulnerability in Cisco IOS telnet service affecting multiple Cisco switches. It includes both a Denial of Service (DoS) Metasploit module and RCE exploits for specific firmware versions of Cisco Catalyst 2960 switches.

Classification
Working Poc 95%
Attack Type
Rce | Dos
Complexity
Moderate
Reliability
Reliable
Target: Cisco IOS on Cisco Catalyst 2960 switches (firmware versions 12.2(55)SE1 and 12.2(55)SE11)
No auth needed
Prerequisites: Network access to the target device's telnet service (port 23)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by homjxi0e · remote-auth
https://github.com/homjxi0e/CVE-2017-3881-Cisco

This is a working proof-of-concept exploit for CVE-2017-3881, a buffer overflow vulnerability in Cisco Catalyst 2960 switches. The exploit leverages a crafted payload sent via telnet to achieve remote code execution, enabling credless authentication with privilege level 15.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Cisco Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11
No auth needed
Prerequisites: Telnet service enabled on the target Cisco Catalyst 2960 switch · Network access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/threat9/routersploit

This repository contains the RouterSploit framework, an open-source exploitation framework for embedded devices, including exploits, scanners, and credential testing modules. It includes functional exploit code for various vulnerabilities, including CVE-2017-3881, which is a remote code execution vulnerability in Cisco IOS and IOS XE software.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco IOS and IOS XE software
No auth needed
Prerequisites: Network access to the target device · Python 3.6 or higher
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC
by Artem Kondratenko · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb

This Metasploit module exploits a Denial of Service (DoS) vulnerability in Cisco IOS telnet service by sending a malformed packet. It targets Cisco Catalyst switches and triggers a crash in the telnet service.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Cisco IOS telnet service (affecting Cisco Catalyst 2960 and 3750)
No auth needed
Prerequisites: Network access to the target device's telnet service (port 23)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cisco IOS 12.2(55)SE11 - Remote Code Execution
CRITICALby dwisiswant0
Shodan: product:"cisco ios http config" || cpe:"cpe:2.3:o:cisco:ios"

References (7)

Core 7
Core References
Broken Link exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41874/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41872/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97391
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96960
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038059

Scores

CVSS v3 9.8
EPSS 0.9428
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2017-03-17
InTheWild.io 2017-03-17
ENISA EUVD EUVD-2017-12998
CWE
CWE-20
Status published
Products (3)
cisco/ios 12.2s - 15.1\(3\)svs
cisco/ios_xe 3.2sg - 3.9e
n/a/Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software
Published Mar 17, 2017
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026