Cybersecurity firm Trend Micro has revealed Operation Zero Disco, a campaign exploiting a critical Cisco SNMP flaw to install rootkits on network devices. The attack targets older switches, enabling persistent access and evasion of detection. As of October 2025, it has compromised enterprise networks reliant on legacy infrastructure.
Trend Micro researchers uncovered Operation Zero Disco, an attack campaign actively exploiting CVE-2025-20352, a buffer overflow vulnerability in Cisco's Simple Network Management Protocol (SNMP) implementation on IOS XE Software. This flaw affects both 32-bit and 64-bit switch builds, allowing remote code execution (RCE) via crafted SNMP Get-Request packets, particularly when devices use default 'public' community strings.
The campaign primarily targets older Cisco models, including the phased-out 3750G series, as well as active 9400 and 9300 lines. Cisco confirmed the impacts, noting that legacy devices lack modern protections like Address Space Layout Randomization (ASLR), though newer models can still be breached with repeated attempts. Once exploited, attackers deploy a sophisticated Linux rootkit that establishes fileless persistence through modifications to the IOSd memory space, ensuring activity survives reboots.
The rootkit introduces a universal password containing 'disco'—a nod to Cisco—hooking low-level authentication functions to bypass AAA, local logins, and enable passwords. A UDP-based controller component, operating on any port, allows attackers to toggle logging, delete records, bypass access-control lists, and conceal configuration changes by resetting timestamps. Hidden elements include account names like 'dg3y8dpk' through 'dg7y8hpk', Embedded Event Manager (EEM) scripts 'CiscoEMX-1' to 'CiscoEMX-5', and ACLs such as 'EnaQWklg0' to 'EnaQWklg2'.
Attackers chain the exploit with a modified version of CVE-2017-3881, a prior Telnet vulnerability repurposed for arbitrary memory read and write operations. This enables advanced infiltration: manipulating VLAN routing to bridge segments, IP spoofing of trusted hosts to evade firewalls, and ARP spoofing via guest shell binaries to hijack traffic and disrupt devices. On 32-bit targets, fragmented SNMP packets smuggle commands like '$(ps -a'; on 64-bit, elevated privileges activate guest shells for post-exploitation.
The operation highlights risks in unpatched, legacy network gear without endpoint detection. No automated detection tool exists, requiring manual Cisco Technical Assistance Center (TAC) investigations. Trend Micro recommends patching CVE-2025-20352, restricting SNMP to authenticated communities, and using tools like Cloud One Network Security with rules 46396 for SNMP exploits and 5497/5488 for UDP traffic.