Ssh-2.0-cisco-1.25 Vulnerability File

Network scanning tools like Nmap or Shodan frequently report banners such as SSH-2.0-Cisco-1.25. Penetration testers and security analysts may mistakenly search for a “CVE-XXXX-XXXX” matching this exact string. This paper corrects that misconception and provides a practical framework for risk assessment.

show ip ssh

Ensure SSH version 2 is still enabled and banner changes to a newer string (e.g., SSH-2.0-Cisco-1.26 or higher). ssh-2.0-cisco-1.25 vulnerability

An attacker sending a single crafted SSHv2 packet can crash the device. No logs may be left before crash. Network scanning tools like Nmap or Shodan frequently

The most common critical finding for this specific version is the preference for the Diffie-Hellman Group 1 (diffie-hellman-group1-sha1) key exchange. Ensure SSH version 2 is still enabled and

On Cisco ASA devices that reported similar version strings (often overlapping with 1.25), there was a vulnerability where processing specific SSH packets would not free memory correctly. Over days or weeks, the device would exhaust memory and stop passing traffic. This required a reboot to resolve.