A sophisticated cyberattack campaign, dubbed "Operation Zero Disco," has been discovered exploiting a critical vulnerability in Cisco's Simple Network Management Protocol (SNMP) implementation. Threat actors are leveraging this flaw to deploy potent Linux rootkits on older, unprotected network devices, gaining persistent unauthorized access and evading detection.

Key Takeaways

• A zero-day vulnerability (CVE-2025-20352) in Cisco's SNMP subsystem was exploited before being patched.

• Attackers deploy Linux rootkits, enabling remote code execution and persistent access.

• The campaign targets older Cisco switch models lacking modern security features.

• The rootkit installs a universal password containing "disco" and uses fileless techniques for stealth.

The "Zero Disco" Campaign Unveiled

Cybersecurity researchers have detailed a new campaign that weaponizes CVE-2025-20352, a stack overflow vulnerability within the SNMP subsystem of Cisco IOS Software and IOS XE Software. This flaw allows authenticated, remote attackers to execute arbitrary code by sending specially crafted SNMP packets to vulnerable devices. The campaign, named "Operation Zero Disco" by Trend Micro, was actively exploiting this vulnerability as a zero-day before Cisco released a patch late last month.

The primary targets identified are older Cisco switch series, including the 9400, 9300, and legacy 3750G models. Attackers have also been observed attempting to exploit a modified Telnet vulnerability, based on CVE-2017-3881, to gain memory access capabilities. The intrusions have not yet been attributed to any specific threat actor or group.

Rootkit Deployment and Stealth Tactics

Once a device is compromised, the attackers deploy a Linux rootkit. This malware establishes a universal password that includes the word "disco," a subtle alteration from "Cisco," granting them broad access across various authentication methods. The rootkit then installs hooks into the Cisco IOS daemon (IOSd) memory space, creating fileless components that are designed to disappear after a reboot, making detection significantly more challenging.

Notably, the attackers specifically target older Linux systems that lack endpoint detection and response (EDR) solutions. This strategy allows the rootkits to operate "under the radar." To further obscure their activities, the adversaries have been observed using spoofed IP addresses and MAC email addresses during their intrusions.

Advanced Exploitation and Evasion Techniques

Beyond the primary SNMP vulnerability, threat actors have also attempted to exploit a modified Telnet vulnerability (derived from CVE-2017-3881) to enable arbitrary memory read and write operations, though the full extent of its functionality remains unclear. For 64-bit switch builds, exploits require elevated privileges to activate guest shells, which then enable UDP-based controllers for advanced post-exploitation activities. These controllers can toggle logs, bypass access controls, and conceal configuration changes, such as hiding specific account names, EEM scripts, and access control lists.

In simulated scenarios, attackers infiltrate segmented networks by exploiting default public SNMP communities on switches. They can bypass external firewalls using stolen credentials, then target core switches to manipulate VLAN routing and perform ARP spoofing via Linux ELF binaries run in guest shells. By impersonating trusted waystation IP addresses, intruders can disable logging, redirect traffic, and access protected zones without triggering internal firewalls. Upon exiting, they restore logs and timestamps to erase traces, facilitating undetected lateral movement.

While newer Cisco switch models incorporate Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts, researchers caution that repeated exploitation efforts can still breach these defenses. Organizations are urged to contact Cisco TAC immediately if compromise is suspected and to apply the latest security patches.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Key Takeaways

• Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in "Zero Disco' Attacks, The Hacker News.

• Cisco SNMP Vulnerability Actively Exploited to Install Linux Rootkits, GBHackers News.

• Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits, www.trendmicro.com.

• Cisco SNMP 0-Day Vulnerability Actively Exploited To Deploy Linux Rootkits, Cyber Security News.