Cybersecurity researchers at Trend Micro have discovered an active attack campaign dubbed “Operation Zero Disco” that exploits a critical vulnerability in Cisco’s Simple Network Management Protocol (SNMP) implementation.
The vulnerability, tracked as CVE-2025-20352, allows threat actors to execute remote code and deploy sophisticated Linux rootkits on vulnerable network devices.
The campaign primarily targets older Cisco switch models including the 9400 series, 9300 series, and legacy 3750G devices that lack modern endpoint detection and response capabilities.
| CVE ID | Affected Product | Vulnerability Type | CVSS 3.1 Score | Severity |
|---|---|---|---|---|
| CVE-2025-20352 | Cisco IOS XE Software (32-bit and 64-bit switch builds) | SNMP Buffer Overflow in Authframework OID | Not specified in source | Critical |
Security experts warn that successful exploitation grants attackers persistent unauthorized access to compromised systems, enabling them to hide malicious activity and evade detection by security teams.
Remote Code Execution Enables Rootkit Deployment
CVE-2025-20352 affects both 32-bit and 64-bit Cisco switch builds, allowing attackers to achieve remote code execution through malicious SNMP packets.
Once a device is compromised, the malware installs a rootkit that establishes a universal password containing the word “disco” believed to be a deliberate one-letter variation of “Cisco.”
The rootkit then injects multiple hooks into the IOSd memory space, creating fileless backdoor components that disappear after system reboots but remain active during normal operation.
Attackers leveraged spoofed IP addresses and MAC email addresses to obscure their activities during infiltration attempts.
While newer switch models incorporate Address Space Layout Randomization (ASLR) to reduce successful intrusion rates, researchers note that repeated exploitation attempts can still breach these defenses.
Trend Micro researchers recovered several distinct exploits from compromised Linux systems targeting different platform architectures.
For 32-bit devices, attackers deployed SNMP exploits capable of installing rootkits and a modified Telnet vulnerability based on CVE-2017-3881 that enables arbitrary memory read and write operations.
Network packet captures revealed that malicious commands were split across multiple SNMP packets due to exploit limitations.
On 64-bit switch builds, threat actors required level 15 privilege access to run guest shell functionality before installing fileless backdoors.
One recovered exploit could completely disable trace logging on target devices without using memory mapping functions.
Investigators also discovered a UDP controller component designed to manage the rootkit remotely and an ARP spoofing tool specifically crafted for Cisco switches.
The attack methodology demonstrates advanced network intrusion techniques designed to bypass multiple security layers.
After gaining initial access through the SNMP vulnerability, attackers can remotely disable logging functions, assign waystation IP addresses to ports connected to protected zones, and perform ARP spoofing to redirect legitimate traffic while forcing original systems offline.
The UDP controller provides extensive management capabilities including toggling log history, bypassing AAA authentication and VTY access-control lists, enabling universal passwords, concealing portions of running configurations, and resetting timestamps to make configuration changes appear nonexistent.
The rootkit functions as a UDP listener on any port directed to device IP addresses without requiring open ports, while hiding specific account names, EEM scripts, and access control lists from running configurations.
Cisco has contributed forensic analysis to the investigation, and organizations are urged to contact Cisco TAC immediately if compromise is suspected.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
