"A new attack campaign, dubbed Operation Zero Disco by Trend Micro , exploits a vulnerability in Cisco's Simple Network Management Protocol (SNMP) to install rootkits on network devices. The vulnerability, registered as CVE-2025-20352, was confirmed by Cisco in early October as an actively exploited zero-day. The flaw affects Cisco IOS and IOS XE and allows remote code execution when an attacker has root privileges."
"The research team recovered both 32-bit and 64-bit versions of the exploit. The variant for 64-bit devices requires access to the guest shell with administrator privileges (level 15), but then provides complete control over the system. In both cases, the attack is carried out via the SNMP process. The exploit can also be combined with a second vulnerability, CVE-2017-3881, an older leak in the Cluster Management Protocol code that is modified in this campaign to read and write memory."
Attackers exploit CVE-2025-20352 in Cisco's SNMP implementation to remotely execute code and embed a Linux rootkit into the IOSd process on affected devices. The rootkit adds a universal password containing the word disco and installs hooks in IOSd memory to manipulate logs, hide configurations, and bypass authentication. Both 32-bit and 64-bit exploit variants were recovered; the 64-bit variant requires guest shell administrator (level 15) access before gaining full control. The campaign can leverage CVE-2017-3881 to read and write memory. A hidden UDP controller provides persistent covert access, log deletion, AAA and VTY bypasses, and timestamp modification to cover tracks.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]