Operation Zero Disco Exploits Cisco SNMP Flaw for Rootkit Installation

Operation Zero Disco is a cyberattack campaign targeting Cisco networking devices by exploiting the Cisco SNMP vulnerability (CVE-2025-20352). This vulnerability allows attackers to gain remote code execution (RCE), deploy Linux rootkits, and establish persistent unauthorized access to devices such as Cisco 9400, 9300, and 3750G series switches. The campaign’s name, Zero Disco, is derived from the malware’s use of a universal password containing “disco”, a subtle modification of “Cisco.” This detail highlights the attackers’ deliberate targeting of Cisco’s network infrastructure to achieve deep, covert access.

Severity: High

Exploit Mechanism

• Attackers first scanned for devices with SNMP community set to public and gained access by exploiting CVE-2025-20352.
• CVE-2025-20352 exploit delivers malicious packets that deliver commands in fragmented form to bypass length restrictions in SNMP protocol messages.
• After exploitation, the attackers deploy rootkits onto the target system’s IOSd memory.
• A modified Telnet exploit (derived from CVE-2017-3881) was used to gain memory read/write access for persistence and further manipulation.

Rootkit Capabilities & Persistence

Once a Cisco device is compromised and the rootkit is implanted, it enables several malicious functions:

• Universal Password: The malware sets a universal password, which includes the word “disco,” allowing remote access across most authentication methods.
• Fileless Backdoor: The malware installs several hooks onto the IOSd memory space, resulting in fileless components that disappear after a reboot.
• Lateral Movement: The rootkit can connect different VLANs, allowing for lateral movement across the network.
• Evasion and Concealment: A powerful UDP controller component is used to manage the rootkit. The controller can toggle or delete log history. It can conceal portions of the running configuration in memory, such as specific account names, EEM scripts, and ACLs. It can reset the timestamp of the last running-config write to hide configuration changes.

Recommendations

1. Ensure that all Cisco devices, especially 9400, 9300, & 3750G series switches, are updated with the latest patches to fix the CVE-2025-20352 vulnerability and other related flaws.
2. If you suspect a Cisco switch has been successfully compromised by the ZeroDisco operation, immediately contact Cisco TAC and ask for vendor assistance with a low-level investigation of the firmware/ROM/boot regions.
3. The attack simulation noted that the SNMP community was set to public by default. Always change default SNMP community strings and credentials to complex, unique values.
4. Disable SNMP v1/v2 or, if necessary, restrict SNMP to trusted management networks by setting strict ACLs. If SNMP must be used, configure SNMP v3 with strong authentication and encryption.
5. Enforce strong access control lists (ACLs) to limit who can access VTY lines (for SSH or Telnet access) on Cisco devices.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/a6e19042cf6aa33af2338b90970742d63f2c2c1bfa0dd26936cb0d41930371b8/iocs

Source:

• https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
• https://www.ampcuscyber.com/shadowopsintel/vulnerability-in-cisco-ios-and-ios-xe-enables-rce-and-dos/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.