A sophisticated cyberattack campaign, termed Operation Zero Disco, has been identified, wherein threat actors are actively exploiting a critical vulnerability in Cisco’s Simple Network Management Protocol (SNMP) to install Linux rootkits on susceptible network devices.
Trend Micro’s research has uncovered that attackers are leveraging CVE-2025-20352, a vulnerability that permits remote code execution (RCE) and facilitates persistent unauthorized access. This campaign predominantly targets older Cisco switches that lack contemporary security measures. As of October 2025, enterprise networks have been significantly impacted, underscoring the persistent risks associated with legacy infrastructure.
Technical Details of the Vulnerability
The fundamental flaw, as detailed in Cisco’s security advisory, originates from a buffer overflow within the SNMP authentication framework of Cisco IOS XE Software. By dispatching specially crafted SNMP Get-Request packets, attackers can overflow the buffer, enabling arbitrary code execution on both 32-bit and 64-bit switch architectures.
Upon successful exploitation, the malware deploys a rootkit that establishes a universal password containing the term disco—a subtle reference to Cisco. This grants attackers extensive access across various authentication methods, including AAA and local logins. The rootkit integrates into the IOSd memory space, ensuring fileless persistence that disappears upon reboot, thereby complicating detection efforts.
Exploitation Techniques and Attack Scenarios
Trend Micro’s investigation revealed that attackers are combining this SNMP vulnerability with a modified Telnet vulnerability derived from CVE-2017-3881. This modified exploit is repurposed for memory read/write operations rather than direct RCE.
For 32-bit targets, such as the legacy Cisco 3750G series, network captures have shown fragmented SNMP packets embedding commands like $(ps -a, constrained by byte limitations per packet.
On 64-bit platforms, including Cisco 9400 and 9300 series, exploits necessitate elevated privileges to activate guest shells. This enables UDP-based controllers to perform advanced post-exploitation activities, such as toggling logs, bypassing access controls, and concealing configuration changes. Notably, attackers have been observed hiding specific Access Control Lists (ACLs) and Embedded Event Manager (EEM) scripts.
In simulated scenarios that mirror real-world breaches, attackers infiltrate segmented networks by exploiting default public SNMP communities on switches. They circumvent external firewalls using stolen credentials, then target core switches to manipulate VLAN routing and execute ARP spoofing via Linux ELF binaries operating in guest shells.
By impersonating trusted waystation IPs, intruders can disable logging, redirect traffic, and access protected zones like server farms without triggering internal firewalls. Upon exiting, they restore logs and timestamps to erase traces, facilitating undetected lateral movement across demilitarized zones (DMZs), offices, and secure data areas.
Targeted Systems and Persistence Mechanisms
The campaign primarily focuses on outdated Linux-based systems that lack endpoint detection and response (EDR) tools. Attackers employ spoofed IPs and email addresses to maintain anonymity.
While Address Space Layout Randomization (ASLR) on newer models can thwart some exploitation attempts, persistent probing has still led to successful breaches, as observed in Trend Micro’s telemetry data.
Cisco has collaborated on forensic analyses, confirming impacts on both phased-out 3750G devices and active 9400 and 9300 lines.
Mitigation Strategies
Currently, no automated tools can fully detect these rootkits. Organizations are advised to contact Cisco’s Technical Assistance Center (TAC) for comprehensive firmware inspections.
Trend Micro recommends deploying Cloud One Network Security for virtual patching and intrusion prevention. Additionally, implementing Deep Discovery Inspector rules, such as rule 5497 for UDP controller traffic, can enhance detection capabilities.
For Vision One customers, hunting queries and Indicators of Compromise (IoC) sweeps are available, with exploit blocking facilitated through rules like 46396 for SNMP overflows.
Immediate patching of CVE-2025-20352 is crucial. Organizations should also restrict SNMP access to authenticated communities and segment legacy devices to mitigate potential risks.
This operation underscores the dangers of unpatched network equipment, urging enterprises to prioritize updates amid rising threats from state-sponsored actors and cybercriminals.
