Parts of the exploit are fileless or volatile, with some components disappearing on reboot, while hooks left in memory endure, and some functions are reactivated dynamically, all making detection complicated.
“Currently, there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation,” the researchers said. “If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions.”
Additional Trend recommendations include applying patches for CVE-2025-20352, hardening SNMP access (restrict management-plane reachability, enforce ACLs), and deploying network/endpoint detections that hunt for the indicators of compromise (IoCs) and unusual UDP SNMP controller traffic. Trend also recommended combining its Trend Cloud One Network Security, Trend Vision One, and Deep Discovery offerings for targeted network inspection and XDR against ZeroDisco efforts.
