Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in ‘Zero Disco’ Attacks

Steven

Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in ‘Zero Disco’ Attacks

Summary

Researchers from Trend Micro have detailed “Operation Zero Disco”, a campaign that exploited CVE-2025-20352 (CVSS 7.7) — a stack overflow in Cisco’s SNMP subsystem — to install Linux rootkits on older, unprotected Cisco devices. The attacks focused on legacy models (Cisco 9400, 9300 and 3750G series) and used crafted SNMP packets to achieve remote code execution and persistence by implanting hooks into the IOS daemon (IOSd) memory space.

The implanted rootkit creates a universal password (notably containing the string “disco”), runs a UDP controller to listen for commands, can disable logs, bypass AAA authentication, conceal configuration changes and leave fileless artefacts that vanish after reboot. The adversary also attempted a modified Telnet-based memory read/write exploit (based on CVE-2017-3881). Cisco patched the SNMP flaw late last month, but it was abused in the wild prior to the fix.

Key Points

  • CVE-2025-20352 (SNMP stack overflow) was weaponised to run arbitrary code on vulnerable Cisco IOS / IOS XE devices.
  • Primary targets: Cisco 9400, 9300 and legacy 3750G series; older devices without ASLR were most at risk.
  • Rootkit installs hooks into IOSd, sets a universal password (containing “disco”), and uses a UDP controller to receive commands and hide activity.
  • Attackers preferred victims running older Linux systems without endpoint detection and used spoofed IP/MAC addresses to mask intrusions.
  • Attack also included attempts to exploit a modified Telnet memory-access vulnerability derived from CVE-2017-3881.
  • Cisco released a patch; newer models with ASLR are harder to exploit but repeated attempts can bypass protections.

Context and Relevance

Network equipment is an increasingly attractive target because successful compromise gives attackers persistent control over traffic and infrastructure. This campaign highlights two trends: attackers exploiting device-management protocols (SNMP/Telnet) and targeting older kit lacking modern mitigations or EDR. For organisations running Cisco switches, the risk is not just service disruption — it is stealthy, persistent access that can be very hard to detect.

Mitigations are straightforward but critical: apply Cisco’s patch for CVE-2025-20352, disable or restrict SNMP/Telnet if not needed, enable up-to-date endpoint/network detection on management-plane hosts, enforce device inventory and lifecycle policies so legacy gear is replaced or isolated, and monitor for suspicious universal-password changes or unusual UDP listeners.

Why should I read this?

If you manage Cisco switches or network kit, this is one you shouldn’t skip. Quick and punchy — it tells you exactly what was hit, how the rootkit behaves (it hides, sets a universal “disco” password and talks over UDP) and what to do next. Saves you the time of sifting through long reports and gives the immediate actions that actually matter.

Source

Source: https://thehackernews.com/2025/10/hackers-deploy-linux-rootkits-via-cisco.html