Cybersecurity researchers have revealed details of a new campaign that exploits recently disclosed security flaws affecting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems.
The activity, codenamed “Operation Zero Disco” by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. This intrusion was not caused by any known attacker or group.
The flaw was fixed by Cisco late last month, but not before it was exploited as a zero-day attack in the wild.
“This operation primarily affected Cisco 9400, 9300, and legacy 3750G series devices. There was also an attempt to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to gain memory access,” researchers Dove Chiu and Lucien Chuang said.
The cybersecurity firm also noted that the rootkit allowed attackers to remotely execute code and gain permanent unauthorized access by setting a universal password and installing hooks in the Cisco IOS daemon (IOSd) memory space. IOSd runs as a software process within the Linux kernel.
Another notable aspect of this attack was that it identified victims running older Linux systems without endpoint detection and response solutions enabled, allowing them to fly under the radar and deploy the rootkit. Additionally, the attackers allegedly used spoofed IPs and Mac email addresses for the breach.
In addition to CVE-2025-20352, attackers have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 to allow memory read/write at arbitrary addresses. However, the exact nature of the function remains unknown.
The name “Zero Disco” comes from the fact that the embedded rootkit sets a universal password containing the word “disco”, which is “Cisco” with one letter changed.
“The malware then installs several hooks on IOSd, which results in the fileless component disappearing after a reboot,” the researchers note. “The new switch model provides some protection through Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts. However, be aware that repeated attempts may still be successful.”
Source link
