Operation Zero Disco: Critical Cisco SNMP Flaw (CVE-2025-20352) Used to Implant Linux Rootkits on Switches
Ddos 
Security researchers from Trend Research have uncovered a sophisticated campaign β dubbed βOperation Zero Discoβ β in which attackers exploit a newly disclosed Cisco SNMP vulnerability (CVE-2025-20352) to implant Linux rootkits on vulnerable Cisco switches, enabling remote code execution (RCE), persistent access, and stealthy manipulation of network configurations.
βAttackers exploited the Cisco SNMP vulnerability (CVE-2025-20352) to deploy Linux rootkits on older, unprotected systems, allowing remote code execution (RCE) and persistent unauthorised access by setting universal passwords and installing hooks into IOSd memory space,β Trend Research stated.
The attacks primarily target Cisco 9400, 9300, and legacy 3750G series switches, particularly those running outdated Linux systems without endpoint detection and response (EDR) protection.
Trend Research notes that the attackers weaponized CVE-2025-20352, a critical flaw in Ciscoβs Simple Network Management Protocol (SNMP) service, to execute arbitrary commands on both 32-bit and 64-bit switch builds, gaining full control over the devices.
βThe SNMP exploit referenced in Ciscoβs latest advisoryβ¦ affects both 32-bit and 64-bit switch builds and can result in remote code execution,β Trend explained.
Once compromised, the attackers installed rootkits that not only persist across reboots but also modify IOSd memory to bypass authentication and hide their activities.
βOnce a Cisco device has a rootkit implanted, the malware sets a universal password that includes the word βdiscoβ in itβ¦ and installs several hooks onto the IOSd,β Trendβs report revealed.
Researchers believe the attackers chose the word βdiscoβ as a one-letter alteration of βCiscoβ, giving the operation its name β Zero Disco.
Trendβs investigation found that the Linux-based rootkit operates as a UDP listener, accepting covert commands from any IP address β even if the port is closed. This allows remote attackers to trigger backdoor functions or configure the switch stealthily.
βThe rootkit accepts UDP packets directed to any IP assigned to the device; notably, the port does not have to be open for this function to take effect,β researchers warned.
Among its key capabilities:
- Universal Password Injection: The rootkit modifies IOSd memory to insert a universal password that bypasses AAA, local login, and enable passwords.
- Hidden Configuration Items: It conceals user accounts, EEM scripts, and ACLs from the deviceβs running configuration. Hidden account names observed include:
dg3y8dpk, dg4y8epk, dg5y8fpk, dg6y8gpk, and dg7y8hpk. - Log Manipulation: It can toggle or delete device logs and reset timestamps to make it appear as if configurations were never changed.
- VTY Access Bypass: When enabled, this feature allows attackers to circumvent ACL restrictions on Telnet and SSH interfaces.
βThe rootkit hides specified account names, EEM scripts, and ACLs from the running configurationβ¦ and can toggle log history or delete records entirely,β Trend wrote.
According to Trendβs simulation, attackers began by exploiting publicly exposed SNMP services using the default βpublicβ community string, gaining initial access to core switches.
βThe victim in this scenario uses SNMP to monitor the status of each switch, wherein the SNMP community is public by default on each router,β Trend explained.
Once inside, the attackers disabled logging, logged into the core switch, and impersonated a trusted internal waystation device to bypass firewalls separating VLANs. They then used ARP spoofing on the compromised switch to redirect traffic, effectively hijacking network communication.
βThe attacker disables the core switch log remotely, assigns the waystation IP, and performs ARP spoofingβ¦ which results in the original waystation becoming offline,β the researchers detailed.
After gaining access to the protected zone, the attackers restored the logs to mask intrusion traces. Trend noted that the actual victim networks were even more complex, involving additional lateral movement and persistence mechanisms.
The campaign also leveraged a modified version of CVE-2017-3881, an old Telnet vulnerability previously linked to Cisco router exploits. The modified exploit was re-engineered to enable direct memory read/write access, extending the attackersβ control over the deviceβs execution environment.
βThe operation also attempted to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881β¦ modified to enable memory read/write,β the report noted.
Cisco has since issued a security advisory and updates for CVE-2025-20352, warning organizations to disable SNMP where unnecessary, change default community strings, and apply firmware updates immediately.
Related Posts:
- Cisco SNMP Flaw (CVE-2025-20352) Actively Exploited: Patch Now to Stop Root Access!
- Cisco Systems exists Hardcoded Backdoor Account
- Secure Your Print Jobs: Microsoft Rolls Out Universal Print Anywhere for Everyone
- Kromtech Reveals Two Data Breach involving Honda and Universal Music
- Cisco Patches Vulnerabilities in Integrated Management Controller, SNMP Implementation
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
