Ssh-2.0-cisco-1.25 Vulnerability -
If a network scan reveals devices reporting this version string, immediate action is required.
1. Upgrade the IOS/Firmware The only true fix is to upgrade the device's firmware to a modern version of Cisco IOS or IOS-XE that supports current SSH standards (SSH v2 with AES-256 and RSA 2048-bit keys or higher).
2. Device Replacement
In many cases, devices running cisco-1.25 have reached "End of Life" (EOL) and "End of Support" (EOS). This means Cisco no longer releases patches for them. If the hardware cannot support modern IOS versions, the device must be replaced. ssh-2.0-cisco-1.25 vulnerability
3. Network Segmentation If replacement or upgrade is not immediately possible, the device must be isolated. It should not be accessible from the public internet or general user network segments. Place it behind a firewall that strictly limits access to management IP addresses.
4. Disable SSH (Last Resort) If SSH is not required and the device cannot be upgraded, disable the SSH service entirely and manage the device via console cable (out-of-band management) to remove the remote attack vector. If a network scan reveals devices reporting this
Use nmap script:
nmap --script ssh2-enum-algos -p 22 <target>
nmap --script ssh-hostkey --script-args ssh_hostkey=all -p 22 <target>
Look for:
SSH-2.0-Cisco-1.25
This banner appears in:
Vulnerable releases include many 12.2, 12.3, 12.4 trains. Fixed releases are typically 12.4(24)T5 or higher, 12.2(33)SXI5, 15.1(1)T1, etc.
Check Cisco Security Advisory cisco-sa-20110330-ssh for exact fixed versions. Look for:
SSH-2
To determine if SSH-2.0-Cisco-1.25 indicates a vulnerable device:
On Cisco ASA devices that reported similar version strings (often overlapping with 1.25), there was a vulnerability where processing specific SSH packets would not free memory correctly. Over days or weeks, the device would exhaust memory and stop passing traffic. This required a reboot to resolve.