PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2025-10-15T00:00:00+00:00

Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

Exploits & Vulnerabilities

Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

By: Dove Chiu, Lucien Chuang

Oct 15, 2025

Read time: ( words)

Save to Folio

Key takeaways:

  • Attackers exploited the Cisco SNMP vulnerability (CVE-2025-20352) to deploy Linux rootkits on older, unprotected systems, allowing remote code execution (RCE) and persistent unauthorized access by setting universal passwords and installing hooks into IOSd memory space.
  • The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access.
  • Trend Vision One™ detects and blocks the IoCs discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign. In addition, Trend customers are protected from the Cisco SNMP vulnerability exploits via the specific rules and filters listed at the end of this blog entry.

Trend™ Research has detected an operation where attackers exploited a Cisco Simple Network Management Protocol (SNMP) vulnerability to install a rootkit on vulnerable network devices. The SNMP exploit referenced in Cisco’s latest advisory is CVE-2025-20352, which affects both 32-bit and 64-bit switch builds and can result in remote code execution (RCE). Trend Research investigation also found that attackers used spoofed IPs and Mac addresses in their attacks.

Trend investigation revealed that once a Cisco device has a rootkit implanted, the malware sets a universal password that includes the word “disco” in it, which Trend Research believes is a one-letter change from Cisco. The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR) which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.

Trend Micro telemetry has, as of writing, detected that Cisco 9400 series and 9300 series are affected by this operation. The operation also affected Cisco 3750G devices with no guest shell available, but this type of device has already been phased out. Cisco also contributed to this research by providing forensics for their products and impact data, that assisted the Trend investigation.

The operation also attempted to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881. The CVE-2017-3881 vulnerability was also known to be exploited to cause RCE, but the attempts of the attackers modified it to enable memory read/write.

Exploit investigation

Trend investigation recovered several exploits from a compromised Linux attack that targeted both 32-bit and 64-bit platforms.

32-bit

  • SNMP exploit capable of installing a rootkit

Network captures show that the exploit traffic targeted a 3750G SNMP service; unfortunately, the exploit code was not fully recovered. Figure 1 shows a malicious SNMP packet we captured in the wild that reveals part of the hacker’s command, "$(ps -a": investigation suggests that due to the exploit limit, the hacker can only send few bytes of command per SNMP packet, so the whole command is split into several SNMP packets.

[Figure 1. The malicious SNMP packet with the command “$(ps -a”]

Figure 1. The malicious SNMP packet with the command “$(ps -a”

  • Telnet exploit

Investigation confirmed that the Telnet exploit was abused to allow memory read/write at arbitrary addresses, but full functionality is unknown as of writing.

64-bit

  • SNMP exploit capable of installing a rootkit

The SNMP exploit that was abused to access 64-bit switch builds required the attacker to be able to run guest shell on the Cisco device; this needs level 15 privilege. If successful, the attacker can log in using the universal password and install a fileless backdoor. After that, the attacker can uses a UDP controller to perform various operations.

  • SNMP exploit that can completely stop trace logging on the target

This exploit does not use mmap; the attacker only needs to obtain a few addresses for the exploit to become RCE.

  • SNMP exploit with unknown functionality

Trend investigation also found a UDP controller component used to control the rootkit, and an arp spoofing tool on a Cisco switch.

The UDP controller provides several powerful management functions: it can toggle log history on or off or delete log records entirely; bypass AAA authentication and bypass VTY access-control lists; enable or disable a universal password; conceal portions of the running configuration; and reset the timestamp of the last running-config write so the configuration appears never to have been changed.

[Figure 2. The UDP controller providing several powerful management functions]

Figure 2. The UDP controller providing several powerful management functions

Attack scenario

Figure 2 shows a diagram of a simulated network where each zone is separated by a core switch and a different VLAN. For management, SSH or RDP are only allowed from a designated waystation and onto servers controlled by an internal firewall. Meanwhile, an external firewall protects all zones. The victim in this scenario uses SNMP to monitor the status of each switch, wherein the SNMP community is public by default on each router.

[Figure 3. A diagram of a simulated network where where each zone is separated by a core switch and a different VLAN]

Figure 3. A diagram of a simulated network where where each zone is separated by a core switch and a different VLAN

download

In this simulation, let’s assume the attacker has obtained network details such as critical passwords to access different devices on the network. The attacker is aware that they must bypass the external firewall to enter the protected zone, while the internal firewall only allows SSH from waystations. Since all switches are using an SNMP that is set to public by default, this can be the attacker’s way in. By exploiting this vulnerability, the attacker could potentially also get privileged access to critical switches and core switches.

[Figure 4. In the simulation, the attacker might be able to bypass the external firewall with obtained passwords to access different devices on the network.]

Figure 4. In the simulation, the attacker might be able to bypass the external firewall with obtained passwords to access different devices on the network.

download

Once the attacker gains access to a core switch, they can connect to different VLANs by adding routing rules. However, this is not enough to bypass the internal firewall, so they impersonate a waystation’s IP address to bypass the internal firewall. To do this, the attacker:

  • Disables the core switch log remotely
  • Logs in to the core switch
  • Assigns the waystation IP on the port which connects to protected zone
  • Does arp spoofing on that port to redirect the old waystation IP to the core switch, which results in the original waystation becoming offline due to an IP address conflict or mismatch

The arp spoofing tools on Cisco is a Linux elf binary, which can be run on the Cisco guest shell to perform the arp spoofing.

[Figure 5. The arp spoofing tool]

Figure 5. The arp spoofing tool

[...]

Original source

Reply