Operation ZeroDisco: Critical Cisco SNMP Flaw (CVE-2025-20352) Used to Implant Linux Rootkits and Inject “Disco” Password

by ddos · October 17, 2025

Researchers at Trend Micro have documented a large-scale operation codenamed ZeroDisco, in which attackers weaponized a critical flaw in Cisco’s SNMP implementation (CVE-2025-20352, CVSS 9.0) to implant rootkits and execute arbitrary code on network gear. The campaign struck Cisco switch families including the 9400, 9300 and legacy 3750G lines. Analysts also observed attempts to exploit a modified variant of the old Telnet vulnerability CVE-2017-3881 (CVSS 9.8).

According to Trend Micro, adversaries targeted devices running out-of-date Linux stacks lacking visibility and incident-response controls. Upon successful compromise, a stealthy rootkit was deployed to obscure activity and sustain persistent, unauthorized access. Infected switches were back-doored with a universal password containing the token “disco” — a mutated nod to the vendor’s name — while malicious hooks were injected directly into IOSd memory, rendering components fileless and ephemeral after a reboot.

Devices without Address Space Layout Randomization (ASLR) were the most susceptible; although ASLR on newer platforms reduces exploitation probability, repeated attempts still yielded compromises. Cisco provided forensic telemetry to assess the incident’s scope and confirmed only a limited set of customers were affected; there is no evidence of broad, indiscriminate propagation so far.

Beyond SNMP abuse, attackers used an adapted Telnet exploit based on CVE-2017-3881 not to spawn remote code execution but to read and write arbitrary memory regions. The campaign leveraged forged IP addresses and masqueraded traffic under trusted mail domains (including Apple-branded domains). On Linux hosts used to stage attacks, researchers found SNMP exploits compiled for both 32- and 64-bit targets, alongside ARP-spoofing toolsets.

On 32-bit systems, attackers fragmented SNMP payloads into multiple short commands to work around protocol constraints; one intercepted fragment contained the string $(ps -a, a telltale sign of shell substitution and remote command execution. Against 64-bit targets the exploit required level-15 privileges and access to the switch’s guest shell. After authenticating with the universal credential, the intruders installed a fileless backdoor controlled via a UDP-based controller that could disable logging, bypass AAA authentication, hide configuration elements and falsify timestamps so the changes appeared never to have occurred.

Trend Micro reconstructed the typical attack sequence in an enterprise network: an actor with basic credentials abuses publicly exposed SNMP to pivot onto routers and switches, then seizes the core switch to reach all VLANs. They then impersonate a trusted admin host, perform ARP spoofing to divert traffic and isolate the legitimate machine, and finally restore logging to erase traces of the intrusion.

The rootkit operates at the switch OS level and provides multiple offensive capabilities: it opens a covert control channel on arbitrary UDP ports, forges a universal password by tampering with IOSd memory to grant access irrespective of authentication method, and conceals user accounts, EEM scripts and ACL entries — Trend Micro observed specific account names such as dg3y8dpk, dg4y8epk, dg5y8fpk, dg6y8gpk and dg7y8hpk. It can also temporarily suspend audit logging and reset the “last configuration change” timestamp. Because all modifications vanish after a reboot, post-incident forensic analysis is severely hampered.

At present there is no universal scanner capable of reliably surfacing compromised devices en masse. Trend Micro advises any organization suspecting compromise to engage Cisco support immediately for low-level firmware and boot-area forensics. Mitigation recommendations include virtual patching, deep traffic inspection, and robust exploit blocking mechanisms.

ZeroDisco ranks among the most technically sophisticated campaigns against Cisco network equipment in recent years. By fusing legacy vulnerabilities, fragmented SNMP payloads and in-memory concealment techniques, the operators demonstrated that even long-standing protocols — when relentlessly targeted — can still provide a viable ingress into corporate infrastructure.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal