Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits
A recent attack campaign, dubbed “ZeroDisco,” has been discovered by Trend Research, exploiting a vulnerability in Cisco’s Simple Network Management Protocol (SNMP) to deploy Linux rootkits on vulnerable network devices. The vulnerability, CVE-2025-20352, allows for remote code execution and enables attackers to gain persistent unauthorized access.
The ZeroDisco campaign primarily targets older, unprotected systems running Cisco 9400, 9300, and legacy 3750G series devices. Attackers used spoofed IPs and Mac email addresses in their attacks, making it difficult to detect the initial breach. Once inside, they deployed Linux rootkits to hide activity and evade blue-team investigation and detection.
Trend Micro Research has detected the operation’s use of a universal password containing the word “disco,” which is believed to be a one-letter change from Cisco. The malware then installs hooks onto the IOSd, resulting in fileless components disappearing after a reboot.
Newer switch models provide some protection via Address Space Layout Randomization (ASLR), but repeated attempts can still succeed. Trend Micro telemetry has detected that Cisco 9400 series and 9300 series are affected by this operation.
To detect and respond to this threat, Trend recommends utilizing Trend Cloud One Network Security or Deep Discovery, which provide deep inspection of cloud network traffic using virtual patching, intrusion prevention (IPS), and post-compromise detection. Trend Vision One customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign.
Detection and security recommendations are available on the Trend Micro website.
Source: https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html