Older Cisco devices unpatched against a recent zero-day vulnerability have been infected with a rootkit in a new campaign, Trend Micro reports.
The exploited defect, tracked as CVE-2025-20352 (CVSS score of 7.7), was patched in late September, when Cisco warned of its in-the-wild exploitation.
Described as a stack overflow issue in the Simple Network Management Protocol (SNMP) of IOS and IOS XE devices, the bug allows low-privileged attackers to cause a denial-of-service (DoS) condition and can be exploited by high-privileged attackers for remote code execution (RCE).
Now, Trend Micro says it has observed a threat actor exploiting the vulnerability to deploy a rootkit on older, vulnerable devices, including Cisco 9400, 9300, and legacy 3750G series devices.
“The operation targeted victims running older Linux systems that do not have endpoint detection response solutions, where they deployed Linux rootkits to hide activity and evade blue-team investigation and detection,” Trend Micro notes.
The campaign has been dubbed Operation ZeroDisco, as the malware sets a universal password containing the word ‘disco’, a one-letter change from Cisco.
In addition to CVE-2025-20352, the hackers used a modified exploit for CVE-2017-3881, a Telnet flaw leading to RCE, that allowed memory read/write.
Against 32-bit systems, the attackers used malicious SNMP packets to send commands to the vulnerable devices, and relied on the Telnet exploit to obtain memory read/write at arbitrary addresses.
Against 64-bit systems, the threat actors used the SNMP exploit to deploy the rootkit, and then logged in using the universal password and deployed a fileless backdoor. The attackers also connected different VLANs for lateral movement.
The rootkit, Trend Micro explains, monitors UDP packets sent to any device port, even closed ones, which allows the attackers to configure or trigger backdoor functions. It also modifies IOSd memory to set up the universal password that works across most authentication methods.
It also hides running-config items in memory, allows the bypass of ACLs applied to VTY (the virtual interface on a Cisco device used for remote access), can disable log history, and resets running-config write timestamps to hide changes.
“Currently there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation. If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions,” Trend Micro notes.
Related: Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign
Related: Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks
Related: Microsoft Patches 173 Vulnerabilities, Including Exploited Windows Flaws
Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks
