A new campaign dubbed Operation ZeroDisco is actively deploying a rootkit on older, unpatched Cisco devices, according to a report from Trend Micro. The attackers are exploiting a recently patched zero-day vulnerability to compromise critical networking equipment.
Exploit and Targets
The primary flaw being exploited is CVE-2025-20352 (CVSS score 7.7), a stack overflow issue in the Simple Network Management Protocol (SNMP) of Cisco IOS and IOS XE. This bug was patched in late September after Cisco warned of its in-the-wild exploitation. While low-privileged attackers can trigger a Denial-of-Service (DoS), high-privileged attackers can achieve Remote Code Execution (RCE).
Operation ZeroDisco specifically targets older, vulnerable devices, including the Cisco 9400, 9300, and legacy 3750G series switches. The attackers are focusing on environments that run older Linux systems and lack endpoint detection and response (EDR) solutions. They also leverage a modified exploit for CVE-2017-3881, a Telnet flaw that also results in RCE.
Rootkit Functionality
The rootkit is deployed to hide activity and evade security investigations. It contains the word 'disco' in a universal password it sets, which is a one-letter change from 'Cisco', giving the campaign its name.
The rootkit is sophisticated, offering several stealth and persistence features:
- It monitors UDP packets sent to any port, even closed ones, allowing attackers to configure or trigger hidden backdoor functions.
- It modifies IOSd memory to set up a universal password that bypasses most authentication methods.
- It hides running-config items in memory, disables log history, and resets running-config write timestamps to conceal changes made to the device.
- It allows the bypass of Access Control Lists (ACLs) applied to VTY, facilitating remote access and lateral movement across connected VLANs.
Due to the rootkit's deep integration into the device's operating system, Trend Micro notes there is no simple automated tool to confirm a compromise. They recommend that organizations suspecting an infection immediately contact Cisco TAC for a low-level investigation of the firmware and boot regions.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
