Full Report
Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple
Analysis Summary
# Vulnerability: Cisco IOS/IOS XE SNMP Stack Overflow leading to Linux Rootkit Deployment
## CVE Details
- CVE ID: CVE-2025-20352
- CVSS Score: 7.7 (High)
- CWE: Stack overflow (Implied by description)
## Affected Systems
- Products: Cisco IOS Software and IOS XE Software
- Versions: Older, unprotected systems (Specific versions not detailed, but patched "late last month")
- Configurations: Devices with SNMP subsystem accessible.
## Vulnerability Description
CVE-2025-20352 is a stack overflow vulnerability residing in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software. A remote, authenticated attacker can exploit this flaw by sending specially crafted SNMP packets to a vulnerable device, leading to arbitrary code execution. This vulnerability was actively exploited in the wild as a zero-day prior to the vendor patch.
## Exploitation
- Status: Exploited in the wild (Zero-day used prior to patch)
- Complexity: Implied Medium/High (Requires authentication and crafting specific packets, but led to full compromise)
- Attack Vector: Network (Remote via SNMP packets)
**Post-Exploitation Activity (Operation Zero Disco):**
Attackers utilized the RCE to deploy Linux rootkits on the underlying Linux kernel/system hosting IOSd. They also attempted to leverage a modified version of CVE-2017-3881 (Telnet vulnerability) to gain memory read/write access for persistence. The deployed rootkit sets a universal password containing "disco," hooks into the `IOSd` process memory space, and uses fileless components that disappear upon reboot.
## Impact
- Confidentiality: High (Arbitrary code execution and persistent unauthorized access)
- Integrity: High (Ability to modify system state via rootkit installation and setting universal passwords)
- Availability: Medium (Persistence mechanisms established, potential for service disruption)
## Remediation
### Patches
- Cisco released patches for CVE-2025-20352 "late last month" (prior to the article date of Oct 16, 2025). Users must apply the relevant Cisco IOS/IOS XE security updates.
### Workarounds
- **Disable SNMP:** If immediate patching is not possible, disable or restrict access to the SNMP subsystem completely.
- **ASLR:** Newer switch models benefit from Address Space Layout Randomization (ASLR), which reduces the success rate of memory-based attacks like this, but repeated attempts can still succeed. Ensure systems have modern OS features enabled where possible.
- **EDR:** Ensure endpoint detection and response (EDR) solutions covering the underlying Linux system are enabled, as older systems lacking this protection were primary targets for rootkit deployment.
## Detection
- **Indicators of Compromise (IoCs):** Look for unauthorized creation or modification of system files, unusual hooks in the `IOSd` memory space, or the presence of universal passwords containing variations of "disco" or related strings in system configurations.
- **Detection Methods and Tools:** Monitor SNMP traffic for malformed packets or high request volumes targeting the vulnerable subsystem. Utilize security monitoring tools capable of inspecting memory space or kernel activity for signs of rootkit injection targeting the `IOSd` process.
- **Related Vulnerability:** Monitor for exploitation attempts targeting network services like Telnet, potentially using variations of known flaws like CVE-2017-3881.
## References
- Vendor Advisory: Cisco official advisory regarding CVE-2025-20352 (Requires lookup based on vendor release date).
- Trend Micro Research: hxxps://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
- Previous Cisco SNMP Advisories (For context on CVE-2017-3881 manipulation): hxxps://thehackernews.com/2017/05/cisco-network-switch-update.html