Hackers exploit Cisco SNMP flaw (CVE-2025-20352) to plant Linux rootkits on switches

NEWS

Introduction: what is CVE-2025-20352?

CVE-2025-20352 is a stack overflow in the SNMP subsystem of Cisco IOS and IOS XE. Under specific conditions, it lets an attacker crash devices (DoS) or—if they already have higher privileges—execute code as root on affected routers and switches. Cisco patched the bug on September 24, 2025 and confirmed active exploitation in the wild.

Within weeks, researchers observed a live campaign—Operation Zero Disco—abusing this flaw to drop a Linux rootkit for persistence on older, unprotected Cisco gear. Public reporting ties the activity to opportunistic threat actors; no firm attribution has been made.

In brief

  • Vulnerability: CVE-2025-20352 (CVSS 7.7) in Cisco IOS/IOS XE SNMP. DoS via low privileges; RCE as root requires administrative/privilege-15 access.
  • Exploitation: Used in Operation Zero Disco to deploy a Linux rootkit on legacy/unprotected switches.
  • Affected footprint: Broad IOS/IOS XE releases; reports mention impact on Cisco Catalyst 9300/9400 and older 3750G, plus Meraki MS390 when running vulnerable builds. Your specific exposure depends on software train and SNMP configuration.
  • Status: Patched. CISA added the CVE to KEV on Sept 29, 2025—treat as patch-immediately.

Context / history / connections

Cisco rolled the fix into its September 2025 IOS/IOS XE advisory bundle and disclosed that exploitation was already occurring (following compromise of local admin credentials). Shortly after, multiple outlets and vendors highlighted active abuse. The case fits a broader trend of living-off-the-LAN campaigns against legacy network appliances and exposed management services (SNMPv1/v2c).

This isn’t the first time network-edge and campus devices have been targeted (e.g., Smart Install/SMI abuses), but the rootkit deployment for persistence ups the ante for incident response and device assurance.

Technical analysis / details of the vulnerability

  • Where the bug lives: SNMP subsystem in IOS/IOS XE (IPv4/IPv6). CWE-121 (stack overflow).
  • Trigger & prerequisites:
    • To cause DoS, an attacker needs SNMPv1/v2c read-only community or valid SNMPv3 credentials.
    • To achieve code execution as root, the attacker additionally needs administrative/priv-15 credentials on the device (e.g., after credential theft).
  • Exploit path: Crafted SNMP packets reach the vulnerable code path; successful exploitation enables arbitrary code execution as root, which Operation Zero Disco then leverages to side-load a Linux rootkit for persistence and stealth on the device.

Operation Zero Disco tradecraft (as reported):

  • Targets older or unprotected switch builds; infections observed on Catalyst 9300/9400 and legacy 3750G families.
  • Post-exploit payloads install a kernel-mode/root-level component to ensure survivability across reboots and to hide malicious artifacts/processes. (Exact modules and IOC paths vary by build; see vendor report for indicators.)

Practical consequences / risks

  • Stealthy persistence: A rootkit on network infrastructure provides the attacker with long-term, nearly invisible footholds for traffic inspection, credential harvesting, and lateral movement.
  • Operational disruption: Even failed attempts can trigger reboots (DoS), impacting campus and datacenter networks.
  • Incident response complexity: Compromised firmware/OS images and hidden hooks mean standard config restores may not be enough; you may need secure-booted reimages from trusted media plus credential resets.

Operational recommendations / what to do next

1) Patch immediately

  • Identify affected IOS/IOS XE releases and upgrade to the fixed trains per Cisco’s advisory (Sept 24, 2025 bundle). Prioritize devices running SNMPv1/v2c or exposed to untrusted networks.

2) Reduce SNMP attack surface

  • Disable SNMPv1/v2c where possible; migrate to SNMPv3 with authPriv.
  • Restrict SNMP to management VLANs and source-IP ACLs; block from the internet.
  • Rotate SNMP communities and local/priv-15 credentials; enforce AAA/TACACS+ with per-user accounts and MFA (where supported).

3) Hunt and contain

  • Check vendor IOCs and telemetry from Trend Micro’s Operation Zero Disco post and your NDR/IDS logs for suspicious SNMP traffic and post-exploit activity.
  • If compromise is suspected:
    • Isolate device ports from untrusted segments.
    • Backup configs, then reimage from trusted, verified images, enable secure boot / image signing if supported.
    • After rebuild, change all credentials (SNMP, local, TACACS+/RADIUS, service accounts).
    • Validate with config diffs and file integrity checks. (Cisco’s guidance in the advisory applies across product lines.)

4) Strengthen visibility

  • Centralize NetFlow/IPFIX and logs for SNMP access attempts; alert on community strings used from new sources or sudden SNMP bulk walks.
  • Continuously monitor for unexpected processes/modules on the device and unsanctioned boot variables—common rootkit persistence points on network OSes. (Based on vendor campaign reporting.)

5) Governance

  • Because CISA KEV flags exploitation, many sectors must patch within policy deadlines—track and report remediation progress.

Differences / comparisons with other cases

Compared to long-running exploitation of Cisco Smart Install (CVE-2018-0171) and legacy management protocols, Operation Zero Disco is notable for rootkit-level persistence rather than mere configuration tampering or reconnaissance. Both cases highlight the risk of legacy services (SMI, SNMPv1/v2c) left exposed or enabled by default on aging hardware.

Summary / key takeaways

  • CVE-2025-20352 is actively exploited and now sits in CISA’s KEV—treat as urgent. Patch and lock down SNMP now.
  • The Operation Zero Disco campaign shows attackers turning network devices into stealth beachheads with Linux rootkits.
  • Limiting SNMP exposure, enforcing SNMPv3 + ACLs, and credential hygiene materially reduce risk—even before patch windows open.

Sources / bibliography

  • BleepingComputer — Hackers exploit Cisco SNMP flaw to deploy rootkit on switches (Oct 16, 2025). (BleepingComputer)
  • Trend Micro — Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits (Oct 15, 2025). (www.trendmicro.com)
  • Cisco — Cisco IOS and IOS XE Software SNMP DoS and RCE Vulnerability (Advisory bundle, Sept 24, 2025; CVE-2025-20352). (Cisco)
  • NVD — CVE-2025-20352 (technical description). (NVD)
  • CISA — Known Exploited Vulnerabilities Catalog update (Sept 29, 2025). (CISA)
  • SecurityWeek — Older Cisco devices infected with rootkit via CVE-2025-20352 (Oct 16, 2025). (SecurityWeek)

Related Posts