A sophisticated attack campaign dubbed “Operation Zero Disco,” where threat actors are actively exploiting a critical Cisco Simple Network Management Protocol (SNMP) vulnerability to install Linux rootkits on vulnerable network devices.
Trend Micro observed an operation exploiting CVE-2025-20352, which allows remote code execution (RCE) and grants persistent unauthorized access, primarily targeting older Cisco switches that lack modern protections.
As of October 2025, the campaign has impacted enterprise networks, highlighting ongoing risks in legacy infrastructure.
The core flaw, detailed in Cisco’s security advisory, stems from a buffer overflow in the SNMP authentication framework on Cisco IOS XE Software.
Attackers send crafted SNMP Get-Request packets to overflow the buffer, allowing arbitrary code execution on both 32-bit and 64-bit switch architectures.
Once exploited, the malware deploys a rootkit that sets a universal password containing the term “disco” a subtle nod to “Cisco” granting attackers broad access across authentication methods like AAA and local logins.
This password mechanism hooks into the IOSd memory space, ensuring fileless persistence that vanishes upon reboot to complicate detection.
Cisco SNMP Vulnerability Actively Exploited
Trend Micro’s investigation revealed attackers chaining this with a modified Telnet vulnerability derived from CVE-2017-3881, repurposed for memory read/write operations rather than outright RCE.
For 32-bit targets like the legacy Cisco 3750G series, network captures showed fragmented SNMP packets smuggling commands, such as “$(ps -a,” limited by byte constraints per packet.
On 64-bit platforms, including Cisco 9400 and 9300 series, exploits require elevated privileges to activate guest shells, enabling UDP-based controllers for advanced post-exploitation.
These controllers toggle logs, bypass access controls, and conceal configuration changes, such as hiding specific ACLs (e.g., EnaQWklg0) or EEM scripts (CiscoEMX-1 through 5).
In simulated scenarios mirroring real-world breaches, attackers infiltrate segmented networks by exploiting default public SNMP communities on switches.
They bypass external firewalls using stolen credentials, then target core switches to manipulate VLAN routing and perform ARP spoofing via Linux ELF binaries run in guest shells.
By impersonating trusted waystation IPs, intruders disable logging, redirect traffic, and access protected zones like server farms without triggering internal firewalls.
Upon exit, they restore logs and timestamps to erase traces, facilitating undetected lateral movement across DMZs, offices, and secure data areas.
The campaign focuses on outdated Linux-based systems without endpoint detection and response (EDR) tools, using spoofed IPs and email addresses for anonymity.
While Address Space Layout Randomization (ASLR) on newer models thwarts some attempts, persistent probing can still succeed, as observed in Trend Micro telemetry.
Cisco collaborated on forensics, confirming impacts on phased-out 3750G devices alongside active 9400 and 9300 lines.
Mitigations
No automated tool fully detects these rootkits, so organizations should contact Cisco TAC for firmware inspections.
Trend Micro recommends deploying Cloud One Network Security for virtual patching and intrusion prevention, alongside Deep Discovery Inspector rules like 5497 for UDP controller traffic.
Vision One customers gain hunting queries and IoC sweeps, blocking exploits via rules such as 46396 for SNMP overflows.
Patching CVE-2025-20352 immediately, restricting SNMP to authenticated communities, and segmenting legacy devices are critical steps.
This operation underscores the dangers of unpatched network gear, urging enterprises to prioritize updates amid rising state-sponsored and cybercrime threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
