Cyber threat actors in Operation Zero Disco have exploited a vulnerability in Cisco's SNMP service to install persistent Linux rootkits on network devices. The campaign targets older Cisco switches and uses crafted packets to achieve remote code execution. Trend Micro researchers disclosed the attacks on October 16, 2025, highlighting risks to unpatched systems.
Trend Micro researchers have uncovered Operation Zero Disco, a cyber campaign exploiting CVE-2025-20352, a stack overflow vulnerability in the SNMP subsystem of Cisco IOS and IOS XE Software. Rated at CVSS 7.7, the flaw allows remote authenticated attackers to trigger denial-of-service conditions with low privileges or achieve root code execution with high privileges by sending crafted SNMP packets over IPv4 or IPv6 networks. The vulnerability affects all devices with SNMP enabled, and Cisco's Product Security Incident Response Team confirmed attacks in the wild.
The operation primarily targets older Cisco models, including the 9400, 9300 series, and legacy 3750G switches running outdated Linux distributions without endpoint detection and response tools. Attackers combined the SNMP exploit with a modified version of the Telnet vulnerability CVE-2017-3881 to enable arbitrary memory read and write access. Once inside, they deploy fileless rootkits that hook into the IOSd daemon on the Linux kernel, installing a universal password containing the word 'disco'—a one-letter alteration from 'Cisco.' These rootkits create a UDP listener on any port for remote commands, hide configuration items like account names, EEM scripts, and ACLs from the running config, bypass VTY ACLs, toggle or delete logs, and reset timestamps to conceal changes. Components operate in memory and disappear after reboot, aiding persistence and evasion.
To move laterally, attackers target core switches in segmented networks protected by firewalls. They abuse default public SNMP communities for initial access, add routing rules to reach other VLANs, and use ARP spoofing and IP impersonation to bypass internal firewalls by disabling logs, assigning waystation IPs to ports, and forcing the real device offline. Newer switch models benefit from Address Space Layout Randomization, reducing intrusion success, though repeated attempts can overcome it. Cisco has issued patches, but attacks predated their release. Trend Micro recovered exploits for 32- and 64-bit platforms and published indicators of compromise. For suspected compromises, experts recommend contacting Cisco TAC for firmware analysis and applying detection rules from Trend Micro.
