Cisco Hackers Use SNMP Flaw to Install Rootkit on Switches
▼ Summary
– Threat actors exploited a zero-day vulnerability (CVE-2025-20352) in Cisco devices to deploy a rootkit and target unprotected older Linux systems.
– The rootkit includes a UDP controller that can disable logging, bypass security controls, hide configuration items, and enable a universal password.
– Researchers simulated an attack showing the malware could bypass firewalls, spoof IPs, and move laterally between VLANs.
– While newer switches with ASLR are more resistant, they are not immune to persistent targeting by these attacks.
– There is currently no reliable tool to detect compromise, requiring low-level firmware investigation if a hack is suspected.
Cybersecurity experts have identified a serious threat targeting Cisco networking hardware, where attackers are leveraging a recently patched remote code execution vulnerability to install a persistent rootkit. This security flaw, designated CVE-2025-20352, affects the Simple Network Management Protocol (SNMP) within Cisco IOS and IOS XE operating systems. When exploited by someone with root-level access, it permits complete control over the device.
Researchers at Trend Micro observed these intrusions aimed at Cisco 9400, 9300, and older 3750G series switches. The attackers used the vulnerability to deploy rootkits, primarily targeting legacy Linux systems that lack modern endpoint detection and response (EDR) security tools. Cisco’s own Product Security Incident Response Team confirmed active exploitation of this flaw, originally classifying it as a zero-day threat in an advisory updated on October 6.
The campaign, dubbed ‘Operation Zero Disco’ by investigators, gets its name from a universal access password set by the malware that includes the word “disco.” In addition to the new SNMP flaw, the threat actor attempted to leverage CVE-2017-3881, a separate vulnerability in the Cluster Management Protocol that is over seven years old.
The rootkit installed on compromised Cisco equipment contains a sophisticated UDP controller. This component can listen on any network port, manipulate or erase system logs, bypass AAA authentication and VTY access control lists, and toggle the universal password feature. It also has the ability to conceal specific items from the running configuration and reset their last-modified timestamps.
During a simulated attack, analysts demonstrated the rootkit’s dangerous capabilities. It could disable logging mechanisms entirely, perform ARP spoofing to impersonate a trusted network gateway, circumvent internal firewall policies, and move laterally across different virtual LANs (VLANs).
While modern network switches benefit from built-in protections like Address Space Layout Randomization (ASLR) that make such attacks more difficult, they are not completely immune. A determined and persistent attacker could still find ways to compromise these newer devices. After the initial installation, the malware implants several hooks into the IOSd process. This results in fileless components that vanish following a system reboot, making forensic analysis challenging.
The research team successfully recovered both 32-bit and 64-bit versions of the SNMP exploit code. A significant concern raised by Trend Micro is the current absence of any automated tool capable of reliably identifying a Cisco switch compromised by this specific campaign. If an infection is suspected, the recommended course of action is a thorough, low-level inspection of the device’s firmware and ROM regions. Indicators of compromise linked to ‘Operation Zero Disco’ have been published to assist network defenders.
(Source: Bleeping Computer)
