Full Report
Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices to deploy a Linux rootkit and gain persistent access. [...]
Analysis Summary
# Vulnerability: Cisco SNMP RCE Leading to Rootkit Deployment via CVE-2025-20352
## CVE Details
- CVE ID: CVE-2025-20352
- CVSS Score: N/A (Information about the specific score is not provided, but it enables Remote Code Execution)
- CWE: N/A (Inferred to be Improper Input Validation or similar for RCE via SNMP)
- Note: CVE-2017-3881 was also mentioned as being exploited alongside the main vulnerability.
## Affected Systems
- Products: Cisco IOS and IOS XE (Specific mentions of 9400, 9300, and legacy 3750G series devices)
- Versions: Older, unprotected versions prior to the patch release for CVE-2025-20352.
- Configurations: Devices where SNMP is active and the vulnerability is unpatched.
## Vulnerability Description
A Remote Code Execution (RCE) vulnerability exists in the Simple Network Management Protocol (SNMP) implementation within Cisco IOS and IOS XE. Successful exploitation, which requires the attacker to already possess root privileges, allows threat actors to execute arbitrary code. This flaw was leveraged to deploy a persistent Linux rootkit, referred to by Trend Micro as 'Operation Zero Disco'. The attacker gained persistent access, established universal access passwords containing "disco," and then utilized the rootkit for malicious actions.
## Exploitation
- Status: Exploited in the wild (Confirmed as a zero-day by Cisco PSIRT and Trend Micro)
- Complexity: Medium/High (Requires existing root privileges for initial RCE payload delivery, though this might be achieved via another preceding step or a different vulnerability, such as CVE-2017-3881 used historically in similar campaigns).
- Attack Vector: Network (Leveraging SNMP)
## Impact
The rootkit deployed provides extensive post-exploitation capabilities:
- Confidentiality: High (Ability to inspect network activity and potentially access sensitive data)
- Integrity: High (Ability to modify system settings, disable security controls)
- Availability: Medium (Ability to manipulate logs and configuration, potentially causing denial of service)
**Rootkit Capabilities:**
* Listens on any UDP port for commands.
* Can toggle or delete logs, hiding forensic evidence.
* Bypasses Authentication, Authorization, and Accounting (AAA) and VTY Access Control Lists (ACLs).
* Installs fileless components by hooking into `IOSd`, which disappear after a reboot unless persistence hooks are maintained.
## Remediation
### Patches
- Specific patch versions are not detailed in the summary, but organizations must apply the update released by Cisco to address **CVE-2025-20352**.
### Workarounds
- Disable SNMP on affected devices until patches can be applied.
- Given that the attack was noted against devices lacking EDR solutions, deploying Endpoint Detection and Response (EDR) or similar monitoring solutions might function as a compensating control, although this was insufficient for older devices noted in the report.
## Detection
- **Indicators of Compromise (IoCs):** Refer to the IoCs provided by Trend Micro (linked in the original source) associated with 'Operation Zero Disco'. The presence of universal access passwords recently set containing the string "disco" is a strong indicator.
- **Detection Methods and Tools:** No reliable, off-the-shelf tool to universally flag a compromised switch was noted. Recommendations include performing low-level firmware and ROM region investigations if compromise is suspected. Monitoring SNMP traffic and configuration changes for unauthorized privileges or unknown user creation is advised.
## References
- Vendor Advisories: Cisco PSIRT Advisory for CVE-2025-20352 (Published around October 6, 2025).
- Relevant Links:
- Trend Micro research report on 'Operation Zero Disco': hxxps://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
- IoC List: hxxps://documents.trendmicro.com/images/uploads/Operation%20Zero%20Disco%20IoCs-wpV04Mt.txt