In newly disclosed real-world attacks, threat actors are found exploiting a Cisco Simple Network Management Protocol (SNMP) vulnerability to gain remote code execution (RCE) and install Linux rootkits on vulnerable switches.
A Trend Micro investigation traced the activity, dubbed “Operation Zero Disco,” to older Cisco platforms and found the operation using spoofed IPs and MAC addresses as part of its attack chain.
“The operation targeted victims running older Linux systems that do not have endpoint detection response solutions, where they deployed Linux rootkits to hide activity and evade blue-team investigation and detection,” said Trend Micro researchers in a blog post.
Trend researchers also noted that the attackers attempted to combine the SNMP RCE with a modified Telnet-related memory-access technique to deepen their foothold.
Rootkits deployed through crafted SNMP requests
The root of the problem is CVE-2025-20352, a buffer-overflow/ authorization framework issue in Cisco’s SNMP implementation that allows specially crafted SNMP Get requests to trigger remote code execution in affected IOS XE builds. Once code execution is obtained, the attackers deploy custom Linux rootkits that hook into Cisco IOS daemon (IOSd) memory space, set universal passwords, and hide malicious processes and network activity. The universal password set was seen, including the word ‘Disco’ in it.
The rootkit also spawns a UDP controller component, which acts as a command-and-control interface. That controller can toggle or delete logs (by setting log size to ‘zero’), bypass access controls, and even reset the timestamp of last running-config writes to mask changes.
Trend’s telemetry shows the campaign targeted devices running older Linux stacks without modern EDR, which made it easier for the rootkit to persist and evade blue-team tools. The use of spoofed network identifiers (IP and MAC) is presumably added attempt to blend or obfuscate traffic sources.
Apart from SNMP, Trend Micro observed attempts to exploit a modified version of a Telnet vulnerability (based on CVE-2017-3881), retooled to gain arbitrary memory read/write access. The full capabilities of that modified exploit are not yet fully understood, researchers noted.
Effects beyond one-time infection
According to Trend Micro, the campaign affected specific Cisco families, including 9400, 9300, and legacy 3750G switches. Affected organizations face more than a one-off compromise as infected switches can provide attackers a long-term, stealthy platform for lateral movement, data interception, or further payload delivery.
Parts of the exploit are fileless or volatile, with some components disappearing on reboot, while hooks left in memory endure, and some functions are reactivated dynamically, all making detection complicated.
“Currently, there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation,” the researchers said. “If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions.”
Additional Trend recommendations include applying patches for CVE-2025-20352, hardening SNMP access (restrict management-plane reachability, enforce ACLs), and deploying network/endpoint detections that hunt for the indicators of compromise (IoCs) and unusual UDP SNMP controller traffic. Trend also recommended combining its Trend Cloud One Network Security, Trend Vision One, and Deep Discovery offerings for targeted network inspection and XDR against ZeroDisco efforts.
No Responses