Menace actors exploited a not too long ago patched distant code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking units to deploy a Linux rootkit and acquire persistent entry.
The safety problem leveraged within the assaults impacts the Easy Community Administration Protocol (SNMP) in Cisco IOS and IOS XE and results in RCE if the attacker has root privileges.
In accordance with cybersecurity firm Pattern Micro, the assaults focused Cisco 9400, 9300, and legacy 3750G collection units that didn’t have endpoint detection response options.
Within the unique bulletin for CVE-2025-20352, up to date on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the corporate’s Product Safety Incident Response Crew (PSIRT) saying it was “conscious of profitable exploitation.”
Pattern Micro researchers observe the assaults below the identify ‘Operation Zero Disco’ as a result of the malware units a common entry password that incorporates the phrase “disco.”
The report from Pattern Micro notes that the risk actor additionally tried to use CVE-2017-3881, a seven-year-old vulnerability within the Cluster Administration Protocol code in IOS and IOS XE.
The rootkit planted on weak techniques includes a UDP controller that may hear on any port, toggle or delete logs, bypass AAA and VTY ACLs, allow/disable the common password, disguise working configuration objects, and reset the final write timestamp for them.
Supply: Pattern Micro
In a simulated assault, the researchers confirmed that it’s doable to disable logging, impersonate a waystation IP by way of ARP spoofing, bypass inner firewall guidelines, and transfer laterally between VLANs.
.jpg)
Supply: Pattern Micro
Though newer switches are extra resistant to those assaults resulting from Handle House Structure Randomization (ASLR) safety, Pattern Micro says that they aren’t immune and chronic concentrating on might compromise them.
After deploying the rootkit, the malware “installs a number of hooks onto the IOSd, which leads to fileless elements disappearing after a reboot,” the researchers say.
The researchers had been capable of get well each 32-bit and 64-bit variants of the SNMP exploit.
Pattern Micro notes that there at present exists no software that may reliably flag a compromised Cisco swap from these assaults. If there may be suspicion of a hack, the advice is to carry out a low-level firmware and ROM area investigation.
An inventory of the symptoms of compromise (IoCs) related to ‘Operation Zero Disco’ might be discovered right here.
Be a part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from prime consultants and see how AI-powered BAS is remodeling breach and assault simulation.
Do not miss the occasion that can form the way forward for your safety technique