In a recent cybersecurity development, researchers have uncovered a sophisticated campaign, dubbed Operation Zero Disco, that exploits a vulnerability in Cisco’s IOS and IOS XE software to implant Linux rootkits on unprotected systems. This operation leverages CVE-2025-20352, a stack overflow flaw in the Simple Network Management Protocol (SNMP) subsystem, allowing authenticated remote attackers to execute arbitrary code via specially crafted SNMP packets.
Cisco addressed this vulnerability late last month; however, attackers had already exploited it as a zero-day, targeting devices such as Cisco 9400, 9300, and legacy 3750G series switches. Additionally, there were attempts to exploit a modified Telnet vulnerability, based on CVE-2017-3881, to gain memory access.
The deployed rootkits enable remote code execution and persistent unauthorized access by setting universal passwords and embedding hooks into the Cisco IOS daemon (IOSd) memory space. IOSd operates as a software process within the Linux kernel, making it a prime target for such intrusions.
Notably, the attackers focused on older Linux systems lacking endpoint detection and response solutions, facilitating the stealthy deployment of rootkits. They also utilized spoofed IP addresses and Mac email accounts to obscure their activities.
The rootkit includes a UDP controller component capable of listening for incoming UDP packets on any port, disabling log history, creating a universal password by modifying IOSd memory, bypassing AAA authentication, concealing parts of the running configuration, and altering configuration timestamps to mask unauthorized changes.
The moniker Zero Disco stems from the rootkit’s creation of a universal password containing disco, a slight alteration of Cisco. Researchers noted that the malware installs several hooks into IOSd, resulting in fileless components that disappear after a system reboot. While newer switch models incorporate Address Space Layout Randomization (ASLR) to mitigate such attacks, repeated intrusion attempts can still succeed.
This campaign underscores the critical importance of timely software updates and robust security measures to protect network infrastructure from sophisticated threats.
