Cisco devices vulnerable to a zero-day vulnerability (CVE-2025-20352) have been targeted by hackers. A rootkit was deployed, monitoring UDP packets and hiding activity from security teams. The attackers used exploits for multiple vulnerabilities and set up universal passwords across devices.
Key vulnerabilities:
– CVE-2025-20352 (CVSS score of 7.7): Stack overflow issue in Simple Network Management Protocol (SNMP) that allows low-privileged attackers to cause denial-of-service (DoS) conditions.
– CVE-2017-3881: Telnet flaw leading to remote code execution (RCE).
How it works:
– Against 32-bit systems, malicious SNMP packets sent commands to vulnerable devices.
– Against 64-bit systems, the rootkit deployed itself using SNMP and logged in with a universal password.
What to do:
– If suspect Cisco switch is affected, contact Cisco TAC for assistance.
– No automated tool can reliably detect compromise.
Source: https://www.securityweek.com/cisco-routers-hacked-for-rootkit-deployment