Operation “Zero Disco”: Hackers exploit Cisco SNMP flaw (CVE-2025-20352) to plant rootkits on switches

NEWS

Introduction — the problem in a nutshell

Cisco IOS/IOS XE devices are under active attack via CVE-2025-20352, a stack overflow in the SNMP subsystem. Once exploited (with the required credentials), attackers can execute code as root and implant a stealthy switch rootkit that hides activity, bypasses controls, and persists operationally across the environment. Cisco patched the bug on September 24, 2025 and confirmed in-the-wild exploitation, elevating this to an urgent patch-now event.

In brief

  • Vulnerability: CVE-2025-20352 (CVSS 7.7) — SNMP stack overflow in IOS/IOS XE. DoS with low privileges; RCE with high privileges (requires SNMPv1/v2c RO string or valid SNMPv3 user and admin/priv-15 access).
  • Status: Actively exploited before patch release (zero-day). Patches shipped Sept 24, 2025.
  • Campaign: Trend Micro tracks current activity as Operation Zero Disco, with confirmed impact on Catalyst 9400/9300 and legacy 3750G series.
  • Payload: A Linux-based rootkit for switches with a UDP controller, universal password (“…disco”), AAA/VTY ACL bypass, log tampering, and config hiding.
  • Public confirmation: Multiple outlets corroborate exploitation and rootkit deployment.

Context — history & related activity

Cisco network devices have been targeted repeatedly by espionage and crimeware actors due to their position at the network control plane. Prior campaigns (e.g., SYNful Knock; more recently ArcaneDoor-style operations against appliances) showed bespoke implants and covert persistence on infrastructure. The Operational Zero Disco activity fits this trajectory: exploit network gear → implant stealthy tooling → pivot across VLANs and zones. Recent advisories also warned about legacy Cisco flaws abused by state-sponsored actors, underscoring how old bugs + weak hardening remain a durable attacker path.

Technical analysis — how the exploit and rootkit work

Exploit preconditions & trigger

  • Bug class: stack overflow in SNMP; reachable via crafted IPv4/IPv6 SNMP packets.
  • Privileges:
    • DoS: low-priv SNMP access.
    • RCE: SNMPv1/v2c RO string or valid SNMPv3 credentials plus device admin/priv-15 rights.
      These requirements are why mismanaged SNMP communities and credential reuse dramatically raise risk.

Observed targets & tooling

  • Models impacted in incidents: Cisco 9400, 9300, and 3750G (EoL) seen in Trend Micro telemetry.
  • Auxiliary exploit: attempts to use a modified CVE-2017-3881 (Telnet) to enable memory read/write for deeper manipulation.

Rootkit capabilities (as reported)

  • Universal password (includes “disco”): hooks IOSd authentication to work across AAA/local/enable auth; change is volatile across reboot.
  • UDP controller: listens on any IP/port (even if closed) to trigger backdoor functions.
  • Stealth:
    • Hide accounts, EEM scripts, and ACLs from running-config.
    • Bypass VTY ACLs, toggle/delete logs, and reset the “last write” timestamp to mask changes.
  • Lateral movement assistance: ARP-spoofing tool and VLAN bridging to cross network zones in simulated scenarios.

Detection reality

There is no universal automated tool to reliably determine compromise of a switch by this specific implant; vendors recommend low-level forensics (firmware/ROM/boot regions) if compromise is suspected.

Practical consequences — who’s at risk and how bad can it get?

  • Network integrity risks: Unauthorized config changes, backdoor access via universal password, and suppressed telemetry can neutralize standard monitoring & AAA controls.
  • Incident response blind spots: Log tampering and config-hiding impede root-cause analysis and extend dwell time.
  • Business impact: From segmentation bypass to persistent access on the switching core, outages (DoS) during exploitation, and regulatory exposure if east-west controls are evaded.

Operational recommendations — what to do next

1) Patch and verify

  • Use Cisco Software Checker and the official advisory to identify affected releases; upgrade immediately to fixed IOS/IOS XE builds.

2) Lock down SNMP (or turn it off)

  • If you don’t absolutely need it, disable SNMP—especially v1/v2c.
  • If required, enforce SNMPv3 only, unique strong credentials, and restrict SNMP to a management VRF/VLAN with ACLs (mgmt station IPs only).

3) Credential hygiene & admin scope

  • Rotate device admin/priv-15 credentials and SNMP communities immediately.
  • Audit for reuse with IT/OT identity stores; enforce MFA for management plane access where supported. (Cisco PSIRT noted successful exploitation followed credential compromise.)

4) Hunt for compromise

  • Pull golden-image configs and compare for hidden entries; examine AAA, VTY, EEM artifacts.
  • Look for evidence of log size zeroing, unexpected UDP listeners, and strange “last write” timestamps.
  • Use Trend Micro’s IoC set to sweep management hosts and network captures. If suspicion remains, engage Cisco TAC for ROMMON/boot/firmware inspection.

5) Network hardening

  • Enforce out-of-band management, RBAC for network admins, and config signing/image verification where possible.
  • Implement AAA accounting to remote syslog/SIEM, secure logging with tamper-evident storage, and periodic running- vs startup-config diffs.
  • Segment switching cores; block Telnet everywhere; prefer SSH with strong ciphers; monitor for ARP spoofing in the mgmt plane.

6) IR playbook updates

  • Add a network-device implant branch: steps for firmware capture, image validation, TAC escalation, rebuild from known-good ROMMON, and staged re-onboarding.

Differences vs earlier Cisco device compromises

  • Access path: CVE-2025-20352 leverages SNMP and requires credentials; older campaigns often abused unauthenticated services (e.g., Smart Install) or edge-appliance bugs.
  • Stealth focus: The Zero Disco rootkit’s log control, VTY ACL bypass, and config hiding refine earlier implant TTPs into a comprehensive defense-evasion toolkit for switches specifically.

Summary — key takeaways

  • Patch now and de-risk SNMP usage; v3-only with tight ACLs should be your baseline.
  • Treat network devices as endpoints: credentials, telemetry, and EDR-like visibility matter.
  • If you see suspicious switch behavior (vanishing logs, inexplicable management access), escalate quickly to forensic-level analysis with vendor support.

Sources / bibliography

  • BleepingComputer — “Hackers exploit Cisco SNMP flaw to deploy rootkit on switches,” Oct 16, 2025. (BleepingComputer)
  • Trend Micro Research — “Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits,” Oct 15, 2025. (www.trendmicro.com)
  • Cisco PSIRT — “Cisco IOS and IOS XE Software SNMP DoS & RCE (CVE-2025-20352)” advisory, Sept 24, 2025 (updated). (Cisco)
  • NVD — CVE-2025-20352 detail and impact. (NVD)
  • SecurityWeek — “Cisco Routers Hacked for Rootkit Deployment,” Oct 16, 2025. (SecurityWeek)
  • Help Net Security — “Hackers used Cisco zero-day to plant rootkits on network switches,” Oct 17, 2025. (Help Net Security)

Related Posts