While a banner itself is not a flaw, exposing SSH-2.0-Cisco-1.25 allows attackers to fingerprint the device. Network scanning engines like Shodan and Censys have indexed hundreds of thousands of internet-facing devices broadcasting this exact banner, identifying them as potential targets for multiple critical SSH-related vulnerabilities. Anatomy of the Vulnerabilities Affecting Cisco-1.25
For more information on the SSH-2.0-Cisco-1.25 vulnerability, including patches and workarounds, please refer to:
If you have recently run a vulnerability scan like Nessus or OpenVAS against your Cisco infrastructure, you may have seen a reference to . While this string is actually a version banner rather than a single specific "vulnerability," it often serves as a primary indicator for several critical security flaws affecting Cisco’s SSH implementation. What is SSH-2.0-Cisco-1.25?
1. Critical Erlang/OTP SSH Pre-Authentication RCE (CVE-2025-32433) ssh-2.0-cisco-1.25 vulnerability
Router(config)# ip ssh time-out 60 Router(config)# ip ssh authentication-retries 3 Use code with caution.
# Disable weak Diffie-Hellman groups ip ssh dh min size 2048 # Specify secure ciphers (prefer CTR or GCM modes) ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr # Specify secure Message Authentication Codes (MACs) ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512 Use code with caution. Copied to clipboard Step 3: Obfuscate the Banner (Optional)
The only true fix is to upgrade the device's firmware to a modern version of Cisco IOS or IOS-XE that supports current SSH standards (SSH v2 with AES-256 and RSA 2048-bit keys or higher). While a banner itself is not a flaw, exposing SSH-2
Upgrade the device firmware to a supported release and regenerate RSA keys.
Ensure the device is configured to only allow SSH version 2 and that the server-side RSA keys are properly managed. 6. Conclusion
The version "1.25" is archaic. It dates back to early Cisco IOS (Internetwork Operating System) implementations from the early-to-mid 2000s. While modern Cisco devices run much newer SSH implementations, seeing this specific version string in 2023/2024 is an immediate red flag. It suggests the device is running an operating system that has not been updated in potentially two decades. While this string is actually a version banner
You can verify if your devices are presenting this banner by running an SSH connection test from an external machine: ssh -v username@your-cisco-device-ip Use code with caution.
Before applying fixes, you must identify which devices are exposing this banner. 1. Manual Verification via CLI