Operation Zero Disco: Cisco SNMP Flaw Used to Deploy Linux Rootkits

October 17, 2025 Faeem BLOGS 0

Trend Micro has uncovered a sophisticated campaign—dubbed Operation Zero Disco—that weaponizes a recently patched SNMP vulnerability in Cisco IOS and IOS XE software (CVE-2025-20352, CVSS 7.7) to deploy Linux rootkits on legacy systems. The attackers exploited the flaw as a zero-day, targeting Cisco 9400, 9300, and 3750G series devices.

As someone deeply invested in infrastructure security and threat mitigation, this campaign is a stark reminder that legacy systems without endpoint detection are prime targets for stealthy persistence.

What Happened?

  • Attackers sent crafted SNMP packets to vulnerable Cisco devices, triggering a stack overflow and enabling remote code execution.
  • Rootkits were deployed via hooks into the IOS daemon (IOSd), which runs as a Linux process.
  • The malware created universal passwords, bypassed AAA authentication, and concealed configuration changes by altering timestamps.
  • A UDP controller allowed attackers to toggle logs, listen on arbitrary ports, and maintain covert access.

Additional Exploits

  • Modified Telnet vulnerability (based on CVE-2017-3881) used for arbitrary memory access.
  • Spoofed IPs and Mac email addresses used to mask intrusion origins.
  • Fileless components disappeared after reboot, complicating forensic analysis.

Why This Matters

1. Legacy Systems Are Low-Hanging Fruit

Older Linux-based Cisco devices without EDR are vulnerable to rootkit deployment and persistent compromise.

2. Fileless Malware Is Evolving

Hooks into IOSd and timestamp manipulation make detection difficult. Traditional logging and config audits may miss the intrusion.

3. ASLR Isn’t a Silver Bullet

Newer switches offer some protection, but repeated attempts can still succeed. Defense-in-depth remains critical.

4. Universal Passwords = Universal Risk

The rootkit’s ability to set a hardcoded password (“disco”) across devices is a direct threat to access control integrity.

Strategic Takeaways for IT Leaders

  • Patch CVE-2025-20352 immediately—especially on legacy Cisco gear.
  • Audit SNMP and Telnet configurations—disable or restrict where possible.
  • Deploy EDR on all Linux systems—even those embedded in network appliances.
  • Monitor for unusual UDP traffic and config timestamp anomalies.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.