Cybersecurity researchers revealed details of a new campaign that exploited a recently disclosed security flaw in Cisco IOS Software and IOS XE Software. Attackers used the vulnerability to deploy Linux rootkits on older, unprotected systems.
Trend Micro codenamed the activity Operation Zero Disco. The campaign weaponizes CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem. This flaw enables an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device.
So far, researchers have not linked these intrusions to any known threat actor or group.
Cisco patched the vulnerability late last month; however, attackers had already exploited it as a zero-day in real-world attacks.
“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access,” researchers Dove Chiu and Lucien Chuang said.
Trend Micro explained that the rootkits let attackers gain remote code execution and persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. IOSd runs as a software process within the Linux kernel.
Moreover, the attacks focused on victims running older Linux systems without endpoint detection and response (EDR) solutions enabled. This lack of protection made it easier for attackers to deploy rootkits and stay undetected. The adversaries also used spoofed IPs and Mac email addresses to conceal their activity.
Besides exploiting CVE-2025-20352, the threat actors also attempted to leverage a modified Telnet vulnerability derived from CVE-2017-3881. This variant allowed memory read and write at arbitrary addresses, though researchers still cannot fully determine how that functionality works.
The name “Zero Disco” references the implanted rootkit’s universal password, which includes the word “disco”—a one-letter variation of “Cisco.”
“The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot,” the researchers noted. “Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.”
Source: TheHackerNews
Read more at Impreza News
