Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits
Trend Micro researchers uncovered Operation Zero Disco, an attack campaign exploiting CVE-2025-20352 to deploy Linux rootkits on Cisco switches.
Trend Micro researchers have uncovered a sophisticated attack campaign dubbed "Operation Zero Disco" that exploits a Cisco SNMP vulnerability to deploy Linux rootkits on network devices. The campaign targets CVE-2025-20352, a vulnerability affecting both 32-bit and 64-bit Cisco switch builds, allowing remote code execution (RCE). The attackers use spoofed IP addresses and MAC addresses to evade detection, and have been observed targeting Cisco 9400, 9300, and legacy 3750G series switches.
Once a device is compromised, the rootkit sets a universal password containing the word "disco" — a likely play on "Cisco" — and installs fileless hooks into the IOSd memory space. These hooks disappear after a reboot, making forensic analysis challenging. Newer switch models with Address Space Layout Randomization (ASLR) offer some protection, but repeated exploitation attempts can still succeed.
The attackers also attempted to exploit a modified version of CVE-2017-3881, a Telnet vulnerability, to enable arbitrary memory read/write access. This secondary exploit was used to facilitate further compromise. Trend Micro's investigation recovered several exploit samples targeting both 32-bit and 64-bit platforms, including SNMP exploits capable of installing rootkits and a UDP controller that provides powerful management functions.
The UDP controller allows attackers to toggle log history, bypass AAA authentication, bypass VTY access-control lists, enable or disable the universal password, conceal portions of the running configuration, and reset the timestamp of the last running-config write to hide changes. This level of control enables persistent, stealthy access to compromised devices.
Cisco contributed to the research by providing forensics and impact data. Trend Micro customers are protected via specific detection rules and filters. The campaign highlights the ongoing risk posed by unpatched network infrastructure devices and the importance of securing SNMP configurations. Organizations using affected Cisco switches should apply the latest patches and monitor for indicators of compromise.