Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems.
The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group.
The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks.
“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access,” researchers Dove Chiu and Lucien Chuang said.
The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. IOSd is run as a software process within the Linux kernel.
Another notable aspect of the attacks is that they singled out victims running older Linux systems that do not have endpoint detection response solutions enabled, making it possible to deploy the rootkits in order to fly under the radar. In addition, the adversary is said to have used spoofed IPs and Mac email addresses in their intrusions.
The rootkit is commandeered by means of a UDP controller component that that can serve as listener for incoming UDP packets on any port, toggle or disable log history, create a universal password by modifying IOSd memory, bypass AAA authentication, conceal certain portions of the running configuration, and hide changes made to the configuration by altering the timestamp to give the impression that it was never modified.
Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.
The name “Zero Disco” is a reference to the fact that the implanted rootkit sets a universal password that includes the word “disco” in it — a one-letter change from “Cisco.”
“The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot,” the researchers noted. “Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.”
