Cybersecurity researchers have uncovered a sophisticated attack campaign targeting Cisco network devices through a critical SNMP vulnerability. The operation demonstrates how threat actors are exploiting enterprise infrastructure vulnerabilities to establish persistent access and deploy advanced rootkits on Linux-based systems.

Cisco SNMP Vulnerability

The campaign leverages CVE-2025-20352, a recently disclosed vulnerability in Cisco’s Simple Network Management Protocol implementation that enables remote code execution. Security teams worldwide are now racing to patch affected devices as evidence emerges of widespread exploitation attempts targeting both legacy and modern Cisco switch models.

The vulnerability at the heart of the campaign

CVE-2025-20352 represents a significant security flaw affecting both 32-bit and 64-bit Cisco switch builds, enabling attackers to achieve remote code execution through malformed SNMP requests. The vulnerability targets the authentication framework within Cisco IOS XE software, allowing unauthorized actors to bypass security controls and execute arbitrary commands on affected devices. Cisco’s security advisory confirms that the flaw affects multiple switch series, including the widely deployed 9400, 9300, and legacy 3750G models.

The exploitation process involves sending carefully crafted SNMP packets that trigger buffer overflow conditions within the device’s memory space. Threat intelligence researchers have observed attackers splitting their commands across multiple SNMP packets to circumvent packet size limitations, with captured network traffic revealing partial commands like “$(ps -a” embedded within malicious requests. This technique demonstrates the sophisticated nature of the attacks and the threat actors’ deep understanding of Cisco’s SNMP implementation.

What makes this vulnerability particularly dangerous is its accessibility through default SNMP configurations. Many organizations deploy Cisco switches with SNMP enabled using default community strings, creating an easily exploitable attack surface for remote adversaries. The combination of widespread deployment and default configurations has created an attractive target for advanced persistent threat groups seeking to establish footholds within enterprise networks.

Technical analysis of the rootkit deployment

Once attackers successfully exploit the SNMP vulnerability, they deploy a sophisticated rootkit designed specifically for Cisco’s Linux-based operating system. The malware establishes a universal password mechanism that grants backdoor access across multiple authentication methods, including AAA systems, local login procedures, and enable passwords. Notably, the password contains the word “disco,” which researchers believe represents a deliberate reference to Cisco with a single character modification.

The rootkit implements several advanced evasion techniques designed to hide the attackers’ presence from network administrators and security tools. It installs hooks directly into the IOSd memory space, creating fileless components that disappear during device reboots but provide extensive control during active sessions. These memory modifications enable the malware to manipulate device logs, hide configuration changes, and bypass access control lists without leaving permanent traces on the filesystem.

Trend Micro’s analysis reveals that the rootkit functions as a UDP listener capable of accepting packets directed to any IP address assigned to the compromised device. This communication channel enables remote attackers to configure backdoor functions and trigger various malicious activities without requiring traditional network connections. The malware can selectively disable logging functions, delete historical records, and reset configuration timestamps to make unauthorized changes appear legitimate.

The sophistication extends to the rootkit’s ability to hide specific account names, Embedded Event Manager scripts, and access control lists from the running configuration display. Observed hidden accounts include systematically named entries like “dg3y8dpk” through “dg7y8hpk,” while concealed EEM scripts are labeled “CiscoEMX-1” through “CiscoEMX-5.” This systematic approach suggests organized threat actors with extensive knowledge of Cisco’s administrative interfaces.

Attack methodology and lateral movement tactics

The Operation Zero Disco campaign demonstrates advanced network infiltration techniques that leverage compromised Cisco devices as pivot points for broader network access. Attackers use the rootkit-infected switches to connect different VLANs and bypass internal network segmentation controls, effectively transforming network infrastructure devices into unauthorized gateways. This approach allows threat actors to circumvent perimeter security measures and access protected network segments that would otherwise be inaccessible.

The campaign employs ARP spoofing tools specifically compiled for Cisco’s guest shell environment, enabling attackers to impersonate legitimate network devices and redirect traffic flows. By manipulating ARP tables, the malware can cause legitimate waystations to become offline due to IP address conflicts while the compromised switch assumes their network identity. This technique enables attackers to bypass internal firewalls that restrict administrative access to specific management systems.

The attack methodology reveals careful planning and reconnaissance, with threat actors demonstrating knowledge of target network architectures and security controls. They systematically disable logging functions before performing malicious activities, then restore normal logging operations after completing their objectives. This approach minimizes detection opportunities while maintaining persistent access through the installed backdoors. Network security experts emphasize that such sophisticated tactics indicate nation-state level capabilities or highly organized cybercriminal groups.

The campaign also attempts to exploit a modified version of CVE-2017-3881, a previously patched Telnet vulnerability that the attackers have adapted to enable arbitrary memory read and write operations. This dual-vulnerability approach increases the likelihood of successful compromise and provides alternative access methods if primary exploitation attempts fail.

Implications for enterprise network security

The Operation Zero Disco campaign highlights critical vulnerabilities in enterprise network security architectures that rely heavily on perimeter defense models. Organizations that assume their internal network devices are inherently secure face significant risks when sophisticated attackers compromise core infrastructure components. The ability to transform network switches into attack platforms demonstrates how traditional security boundaries become meaningless when fundamental network infrastructure is compromised.

The targeting of older Linux systems without endpoint detection and response capabilities reveals strategic threat actor planning focused on environments with limited security visibility. Many organizations deploy network devices with minimal security monitoring, creating blind spots that sophisticated attackers can exploit for extended periods. The rootkit’s fileless characteristics and memory-based persistence mechanisms make detection particularly challenging without specialized forensic capabilities.

CISA’s vulnerability database continues to track similar infrastructure-focused attacks, emphasizing the need for comprehensive asset management and vulnerability tracking programs. Organizations must implement robust patch management procedures for network infrastructure devices, which are often overlooked in favor of server and endpoint security initiatives. The campaign underscores the importance of treating network devices as critical security assets requiring the same level of protection and monitoring as traditional IT systems.

The sophisticated nature of the attacks suggests that detection and response capabilities must evolve to address infrastructure-level threats. Traditional network monitoring tools may not identify the subtle behavioral changes associated with rootkit-infected devices, requiring specialized detection capabilities and forensic analysis procedures to identify compromised systems effectively.