Hackers exploit Cisco SNMP flaw to deploy rootkit on switches

Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices to deploy a Linux rootkit and gain persistent access. The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges. According to cybersecurity company Trend Micro, the attacks targeted Cisco 9400, 9300, and legacy 3750G series devices that did not have endpoint detection response solutions. In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company's Product Security Incident Response Team (PSIRT) saying it was "aware of successful exploitation." Trend Micro researchers track the attacks under the name 'Operation Zero Disco' because the malware sets a universal access password that contains the word "disco." The report from Trend Micro notes that the threat actor also attempted to exploit CVE-2017-3881, a seven-year-old vulnerability in the Cluster Management Protocol code in IOS and IOS XE. The rootkit planted on vulnerable systems features a UDP controller that can listen on any port, toggle or delete logs, bypass AAA and VTY ACLs, enable/disable the universal password, hide running configuration items, and reset the last write timestamp for them. UDP controller functions Source: Trend Micro In a simulated attack, the researchers showed that it is possible to disable logging, impersonate a waystation IP via ARP spoofing, bypass internal firewall rules, and move laterally between VLANs. Overview of the simulated attack Source: Trend Micro Although newer switches are more resistant to these attacks due to Address Space Layout Randomization (ASLR) protection, Trend Micro says that they are not immune and persistent targeting could compromise them. After deploying the rootkit, the malware "installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot," the researchers say. The researchers were able to recover both 32-bit and 64-bit variants of the SNMP exploit. Trend Micro notes that there currently exists no tool that can reliably flag a compromised Cisco switch from these attacks. If there is suspicion of a hack, the recommendation is to perform a low-level firmware and ROM region investigation. A list of the indicators of compromise (IoCs) associated with 'Operation Zero Disco' can be found here.