Cybersecurity researchers at Trend Micro have uncovered a sophisticated attack campaign dubbed “Operation Zero Disco” that exploits a critical Cisco SNMP vulnerability to deploy Linux rootkits on network infrastructure devices.
The campaign primarily targets older Cisco switch models, allowing attackers to establish persistent backdoor access and evade detection systems.
Critical Vulnerability Enables Remote Code Execution
The attack leverages CVE-2025-20352, a newly disclosed vulnerability in Cisco’s Simple Network Management Protocol (SNMP) implementation that affects both 32-bit and 64-bit switch builds.
This critical flaw enables remote code execution (RCE) on vulnerable devices, providing attackers with a powerful entry point into corporate networks.
The vulnerability is particularly dangerous because SNMP services are commonly configured with default “public” community strings, making exploitation straightforward for attackers with network access.
Cisco has confirmed that the vulnerability impacts multiple switch series, with Trend Micro telemetry specifically detecting compromises on Cisco 9400, 9300, and legacy 3750G series devices.
The 3750G models are particularly vulnerable as they lack modern security protections, though these devices have already been phased out by Cisco.
Newer switch models incorporate Address Space Layout Randomization (ASLR) which provides some protection, though repeated exploitation attempts can still succeed.
Sophisticated Rootkit Deployment and Persistence
Once attackers successfully exploit the SNMP vulnerability, they deploy a sophisticated rootkit that establishes multiple persistence mechanisms.
The malware creates a universal password containing the word “disco”—believed to be a deliberate reference to Cisco with a single letter change.
This universal password works across most authentication methods including AAA, local login, and enable password systems by hooking low-level authentication functions in the IOSd memory space.
- Universal password “disco” enables cross-method authentication hooks.
- Fileless components remain active post-reboot via IOSd memory modifications.
- Hooks disable logging and conceal malicious activities within device processes.
The rootkit provides attackers with extensive control capabilities through a UDP controller component that operates on any port without requiring the port to be explicitly opened.
This controller enables attackers to toggle log history on or off, delete log records entirely, bypass AAA authentication and VTY access-control lists, and conceal portions of the running configuration.
Additionally, the malware can reset timestamps of configuration changes, making it appear that the device configuration was never modified.
Advanced Evasion and Network Infiltration Techniques
The operation demonstrates sophisticated network infiltration capabilities that allow attackers to bypass multiple security layers.
Attackers use the compromised core switches to connect different VLANs by adding routing rules, then impersonate legitimate waystation IP addresses to bypass internal firewalls.
The campaign includes ARP spoofing tools specifically designed to run on Cisco guest shells, enabling attackers to redirect traffic and take legitimate network devices offline through IP address conflicts.
- VLAN routing manipulation to bridge segmented network zones.
- IP spoofing of trusted management hosts for firewall bypass.
- ARP spoofing embedded in guest shell binaries to hijack traffic.
To maintain stealth, the rootkit can hide specific running-configuration items including account names, Embedded Event Manager (EEM) scripts, and Access Control Lists (ACLs).
Trend Micro researchers discovered hidden account names following patterns like “dg3y8dpk” through “dg7y8hpk,” hidden EEM scripts named “CiscoEMX-1” through “CiscoEMX-5,” and concealed ACLs including “EnaQWklg0,” “EnaQWklg1,” and “EnaQWklg2”.
The campaign also attempts to exploit a modified version of CVE-2017-3881, a previously known Telnet vulnerability that originally caused remote code execution.
The attackers have modified this exploit to enable arbitrary memory read and write operations, though the full functionality of this modified exploit remains under investigation.
The combination of multiple vulnerabilities and sophisticated evasion techniques makes this campaign particularly dangerous for organizations relying on older network infrastructure without modern endpoint detection and response solutions.
Indicators of Compromise and Detection: Organizations can protect themselves using Trend Micro’s Cloud One Network Security and Deep Discovery solutions, which include specific detection rules 46396 for the SNMP exploit and rules 5497 and 5488 for UDP controller communications.
However, there is currently no universal automated tool that can reliably determine if a Cisco switch has been compromised, making manual investigation with Cisco Technical Assistance Center support necessary for suspected compromises.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/cisco-snmp-vulnerability-exploited/&media=https://i0.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU1KjgOGTiP8y8FTHUg8B01Z2oyBYWtyLXh1FLL274ZIsWfXg-ePQg5wWcFSZB9MZM1MSJ1FKUmrGhZcY8eH5YcMKO88bg-wGh8I29AgPTYntjVsKqzqwdSnRoIby-2H_O-25boE-61pqJU_KUVPf-txiZFrOKKtGkAyQMckvbA6AZF35OGcXBNTjyLjy9/s16000/Cisco%20SNMP%20Vulnerability%20Exploited.webp?resize=1068,580&ssl=1&description=Cybersecurity researchers at Trend Micro have uncovered a sophisticated attack campaign dubbed "Operation Zero Disco" .){kind=link}