Operation Zero Disco: Cisco SNMP Flaw Enables Linux Rootkit Attacks
TL;DR
Operation Zero Disco: Cisco SNMP Vulnerability Exploited to Deploy Rootkits
Trend Micro's research has revealed an attack campaign dubbed Operation Zero Disco, which exploits the Cisco SNMP vulnerability CVE-2025-20352 to deploy Linux rootkits. This allows for remote code execution (RCE) and persistent unauthorized access on vulnerable devices. The primary targets were Cisco 9400, 9300, and legacy 3750G series devices. Trend Micro customers are protected from the Cisco SNMP vulnerability exploits via specific rules and filters.
Technical Details of the Exploit
The attackers targeted older Linux systems lacking endpoint detection and response (EDR) solutions. They deployed Linux rootkits to conceal their activities. The investigation uncovered that attackers used spoofed IPs and MAC email addresses. Once a Cisco device was compromised, the malware set a universal password containing "disco," believed to be a slight alteration of "Cisco." The malware installed hooks onto the IOSd, causing fileless components to disappear after a reboot. Newer switch models with Address Space Layout Randomization (ASLR) have reduced intrusion success rates, but repeated attempts can still succeed. The operation also attempted to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory read/write.
Exploitation Methods
Trend's investigation recovered several exploits from a compromised Linux attack targeting both 32-bit and 64-bit platforms.
32-bit: SNMP exploit capable of installing a rootkit. Network captures show the exploit traffic targeted a 3750G SNMP service. The hacker's command, "$(ps -a_", was split into several SNMP packets due to the exploit limit, as shown in Figure 1. A Telnet exploit was abused to allow memory read/write at arbitrary addresses.
64-bit: SNMP exploit required the attacker to run guest shell on the Cisco device, needing level 15 privilege. Successful exploitation allowed login using the universal password and installation of a fileless backdoor. The attacker then used a UDP controller to perform various operations. Another SNMP exploit could completely stop trace logging on the target without using mmap. A UDP controller component was used to control the rootkit, along with an ARP spoofing tool on a Cisco switch.
UDP Controller Functionality
The UDP controller provided several management functions: toggling log history, bypassing AAA authentication and VTY access-control lists, enabling or disabling a universal password, concealing portions of the running configuration, and resetting the timestamp of the last running-config write.
Attack Scenario Simulation
In a simulated network, each zone is separated by a core switch and a different VLAN. SSH or RDP are only allowed from a designated waystation and onto servers controlled by an internal firewall. An external firewall protects all zones. The victim uses SNMP to monitor switch status, with the SNMP community set to public by default on each router.
The attacker, having obtained network details, bypasses the external firewall. By exploiting the SNMP vulnerability, the attacker gains privileged access to critical switches and core switches.
Bypassing Internal Firewalls
Gaining access to a core switch allows the attacker to connect to different VLANs by adding routing rules. To bypass the internal firewall, the attacker impersonates a waystation’s IP address by disabling the core switch log remotely, logging into the core switch, assigning the waystation IP on the port connected to the protected zone, and performing ARP spoofing. The ARP spoofing tool, a Linux ELF binary, runs on the Cisco guest shell.
Once the attacker sets up a different IP address and bypasses the internal firewall, they gain access to the protected zone. They then recover the settings on the core switch and reopen the log functionality to evade detection.
Rootkit Functionality
When the rootkit is successfully installed, the attacker gains remote control and connects different VLANs for lateral movement. The rootkit's main functions include:
- Acting as a UDP listener on any port, accepting UDP packets directed to any IP assigned to the device. This channel configures or triggers backdoor functions.
- Creating a universal password by modifying IOSd memory, which works across most authentication methods. This change is volatile and disappears after reboot.
- Hiding certain running-config items in memory, such as account names, EEM scripts, and ACLs.
- Allowing VTY ACL bypass, ignoring any ACL bound to it.
- Toggling or deleting device logs by setting the log size to zero.
- Resetting the last running-config write timestamp to hide changes.
Detection and Security Recommendations
There is no universal automated tool to determine if a Cisco switch has been compromised by the Zero Disco operation. Contacting Cisco TAC is recommended for a low-level investigation of firmware/ROM/boot regions if a switch is suspected to be affected. Cisco has issued a security advisory and updates for CVE-2025-20352, advising organizations to disable SNMP where unnecessary, change default community strings, and apply firmware updates immediately. Trend Vision One™ detects and blocks the IoCs.