Researchers from Trend Research have uncovered a sophisticated campaign — dubbed “Operation Zero Disco” — in which attackers exploit a newly disclosed Cisco SNMP (CVE-2025-20352) to implant Linux rootkits on vulnerable Cisco switches, enabling remote code execution (RCE), persistent access, and stealthy manipulation of network configurations.
“Attackers exploited the Cisco SNMP (CVE-2025-20352) to deploy Linux rootkits on older, unprotected systems, allowing remote code execution (RCE) and persistent unauthorised access by setting universal passwords and installing hooks into IOSd memory space,” Trend Research stated.
The attacks primarily target Cisco 9400, 9300, and legacy 3750G series switches, particularly those running outdated Linux systems without endpoint detection and response (EDR) protection.
Trend Research notes that the attackers weaponized CVE-2025-20352, a critical in Cisco’s Simple Network Management Protocol (SNMP) service, to execute arbitrary commands on both 32-bit and 64-bit switch builds, gaining full control over the devices.
“The SNMP exploit referenced in Cisco’s latest advisory… affects both 32-bit and 64-bit switch builds and can result in remote code execution,” Trend explained.
Once compromised, the attackers installed rootkits that not only persist across reboots but also modify IOSd memory to bypass authentication and hide their activities.
“Once a Cisco device has a rootkit implanted, the malware sets a universal password that includes the word ‘disco’ in it… and installs several hooks onto the IOSd,” Trend’s report revealed.
Researchers believe the attackers chose the word “disco” as a one-letter alteration of “Cisco”, giving the operation its name — Zero Disco.
Trend’s investigation found that the Linux-based rootkit operates as a UDP listener, accepting covert commands from any IP address — even if the port is closed. This allows remote attackers to trigger backdoor functions or configure the switch stealthily.
“The rootkit accepts UDP packets directed to any IP assigned to the device; notably, the port does not have to be open for this function to take effect,” researchers warned.
Among its key capabilities:
- Universal Password Injection: The rootkit modifies IOSd memory to insert a universal password that bypasses AAA, local login, and enable passwords.
- Hidden Configuration Items: It conceals user accounts, EEM scripts, and ACLs from the device’s running configuration. Hidden account names observed include:
dg3y8dpk, dg4y8epk, dg5y8fpk, dg6y8gpk, and dg7y8hpk. - Log Manipulation: It can toggle or delete device logs and reset timestamps to make it appear as if configurations were never changed.
- VTY Access Bypass: When enabled, this feature allows attackers to circumvent ACL restrictions on Telnet and SSH interfaces.
“The rootkit hides specified account names, EEM scripts, and ACLs from the running configuration… and can toggle log history or delete records entirely,” Trend wrote.
According to Trend’s simulation, attackers began by exploiting publicly exposed SNMP services using the default “public” community string, gaining initial access to core switches.
“The victim in this scenario uses SNMP to monitor the status of each switch, wherein the SNMP community is public by default on each router,” Trend explained.
Once inside, the attackers disabled logging, logged into the core switch, and impersonated a trusted internal waystation device to bypass firewalls separating VLANs. They then used ARP spoofing on the compromised switch to redirect traffic, effectively hijacking network communication.
“The attacker disables the core switch log remotely, assigns the waystation IP, and performs ARP spoofing… which results in the original waystation becoming offline,” the researchers detailed.
After gaining access to the protected zone, the attackers restored the logs to mask intrusion traces. Trend noted that the actual victim networks were even more complex, involving additional lateral movement and persistence mechanisms.
The campaign also leveraged a modified version of CVE-2017-3881, an old Telnet vulnerability previously linked to Cisco router exploits. The modified exploit was re-engineered to enable direct memory read/write access, extending the attackers’ control over the device’s execution environment.
“The operation also attempted to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881… modified to enable memory read/write,” the report noted.
Cisco has since issued a advisory and updates for CVE-2025-20352, warning organizations to disable SNMP where unnecessary, change default community strings, and apply firmware updates immediately.
- Cisco SNMP Flaw (CVE-2025-20352) Actively Exploited: Patch Now to Stop Root Access!
- Cisco Systems exists Hardcoded Backdoor Account
- Secure Your Print Jobs: Microsoft Rolls Out Universal Print Anywhere for Everyone
- Kromtech Reveals Two Data Breach involving Honda and Universal Music
- Cisco Patches Vulnerabilities in Integrated Management Controller, SNMP Implementation
