Fresh Bug Used to Deploy Rootkits on Cisco Devices

Trend Micro researchers have discovered a new malicious campaign targeting unpatched Cisco devices, using a recently fixed zero-day vulnerability to deploy rootkits that hide deep within network firmware.

The flaw, CVE-2025-20352 (CVSS 7.7), affects all supported versions of Cisco IOS and IOS XE, the operating systems powering much of the company’s switching and routing hardware. Cisco patched the issue in late September 2025, warning that it was already being exploited in active attacks.

Operation ZeroDisco

Trend Micro has named the campaign Operation ZeroDisco, after researchers found that the deployed malware sets a universal password containing the word “disco.” The attackers are focusing on older Cisco models, including the 9400, 9300, and legacy 3750G series—devices often found in enterprise networks and rarely monitored by endpoint detection tools.

The attackers exploit CVE-2025-20352, a stack overflow in the IOS SNMP (Simple Network Management Protocol) component that handles device status queries. By sending specially crafted SNMP packets over IPv4 or IPv6, attackers can trigger the flaw to execute arbitrary code.

Depending on their privileges, threat actors can either cause a denial-of-service condition or gain root-level remote code execution. Exploitation requires an SNMP read-only community string or valid SNMPv3 credentials—both of which are frequently misconfigured and exposed.

“Leaving SNMP devices accessible from the internet remains a serious operational mistake,” researchers warned, noting that Shodan still indexes more than 2 million internet-exposed SNMP devices worldwide.

Layered Exploits and Rootkit Deployment

Trend Micro reports that the group behind Operation ZeroDisco combined the new SNMP zero-day with an older vulnerability, CVE-2017-3881, a Telnet remote code execution flaw that allows direct read/write access to device memory.

• 32-bit systems: The attackers use malicious SNMP packets to send commands to the router, chaining them with the Telnet exploit for deeper access.
• 64-bit systems: They deploy the rootkit directly through the SNMP exploit, log in using the universal password, and install a fileless backdoor. Different VLANs are then leveraged for lateral movement.

Once deployed, the rootkit actively monitors UDP packets sent to any port—even closed ones—to receive hidden commands. It also modifies IOSd memory to set a universal password that bypasses most authentication mechanisms.

Stealth and Persistence

The malware inserts several hooks within IOSd, ensuring that fileless components disappear after a reboot but can be reactivated remotely. It also hides configuration changes by:

• Masking running-config elements in memory.
• Bypassing VTY (virtual terminal) access control lists.
• Disabling log history.
• Resetting configuration timestamps.

These tactics make detection extremely difficult, particularly on devices without integrated EDR visibility.

Detection Challenges and Recommendations

Trend Micro warns that there is currently no universal automated tool to confirm whether a Cisco device has been compromised as part of Operation ZeroDisco.

“If you suspect your switch has been affected, immediately contact Cisco TAC and request assistance with a low-level investigation of the firmware, ROM, and boot areas,” the researchers advised.

The campaign highlights the continuing risk of outdated network infrastructure, where legacy systems running long-supported firmware remain highly exposed to both new and recycled exploits.