Made on
Tilda
The string "SSH-2.0-Cisco-1.25" is a version identifier frequently returned by the Secure Shell (SSH) server on Cisco IOS and IOS XE devices during a protocol handshake. While this specific string describes the Cisco implementation of the SSH-2.0 protocol rather than a single vulnerability, devices reporting this version have recently been linked to a maximum-severity flaw (CVSS 10.0) in the underlying Erlang/OTP SSH server implementation. The Critical Erlang/OTP SSH Vulnerability
In April 2025, a critical vulnerability was disclosed affecting the Erlang/OTP SSH server, which is embedded in various Cisco products and telecommunications systems.
Severity: Classified with a CVSS v3.1 score of 10.0, indicating maximum severity.
Mechanism: The flaw exists in the handling of SSH protocol messages during the authentication phase. An unauthenticated, remote attacker can send specific connection protocol messages before authentication is completed.
Impact: A successful exploit allows for unauthenticated remote code execution (RCE) on the target system. This can lead to full system compromise, including unauthorized data access and denial of service (DoS). ssh-2.0-cisco-1.25 vulnerability
Exploitation: Cisco’s Product Security Incident Response Team (PSIRT) noted attempted exploitation of this vulnerability in the wild as of June 2025. Exposure and Attack Surface
Security research reports from April 2025 highlighted significant global exposure for devices identifying as "SSH-2.0-Cisco-1.25". Shodan: Approximately 92,000 exposed instances found. Censys: Over 103,000 instances identified. FOFA: Up to 309,000 instances detected. Related Historical Vulnerabilities
Older Cisco SSH implementations, including those that may return the 1.25 identifier, have been subject to other notable security advisories: What is Cisco-1.25 in ssh logging.
0 Helpful. Georg Pauwen. VIP Alumni. 02-16-2021 12:30 AM. Hello, I think the '1.25' part is the Cisco specific vendor version ID. Cisco Community SSH Terrapin Prefix Truncation Weakness - Cisco Community The string "SSH-2
Here’s a breakdown of what’s commonly referred to in security research as the “SSH-2.0-Cisco-1.25” fingerprint, including its background, associated vulnerabilities, and how to investigate it properly.
In the world of network security, few things cause a spike in adrenaline quite like an unfamiliar banner appearing in your vulnerability scanner. For many system administrators and security analysts, the string "ssh-2.0-cisco-1.25" is one such trigger. Scrolling through a Nessus, OpenVAS, or Qualys report, this identifier often appears under "SSH Server Version Information," flagged with a medium or high-severity warning.
But is this a critical zero-day exploit? A backdoor? A misconfiguration?
The short answer is more nuanced. The "ssh-2.0-cisco-1.25 vulnerability" is not a singular, unpatched software flaw. Rather, it is a version fingerprint associated with specific Cisco operating systems (primarily older versions of Cisco IOS and Cisco NX-OS) that historically contained several known, documented vulnerabilities. Legacy SSH implementations were designed in an era
This article will dissect exactly what SSH-2.0-Cisco-1.25 means, explore the real vulnerabilities tied to this SSH implementation, distinguish between myth and fact, and provide a definitive guide to remediation.
Legacy SSH implementations were designed in an era when cryptography standards were different. cisco-1.25 often supports:
This banner is frequently associated with a vulnerability where the SSH server does not properly validate the state during the handshake process.
ssh -oKexAlgorithms=diffie-hellman-group1-sha1 -c 3des-cbc user@target
If it connects without warning → vulnerable.
If an immediate software upgrade is not possible due to hardware limitations, apply the following configurations on the Cisco device:
The most famous vulnerability associated with this version string is the Cisco "Small SSH" issue. Early implementations of SSH on Cisco IOS had a flaw in the key exchange mechanism. In certain configurations, an attacker could bypass authentication entirely. If a device reports this version string, it is highly likely susceptible to authentication bypass, allowing an attacker to gain administrative access without a password.