Security researchers from Trend Micro have revealed the details of a sophisticated new cyber campaign dubbed Operation Zero Disco, which leverages a recently disclosed vulnerability in Cisco IOS and IOS XE Software to compromise aging network infrastructure. The attackers have reportedly been exploiting this flaw to implant Linux-based rootkits on unprotected or end-of-life devices, giving them long-term, stealthy access within enterprise environments.
The exploited vulnerability, tracked as CVE-2025-20352 and assigned a CVSS score of 7.7, affects the Simple Network Management Protocol (SNMP) subsystem in both Cisco IOS and IOS XE platforms. SNMP, which is widely used for network monitoring and device management, has long been a favored target for attackers due to its frequent misconfigurations and deep access to system functions. In this case, the flaw stems from a stack overflow condition that can be triggered when specially crafted SNMP packets are sent to a vulnerable device. According to Cisco’s advisory, an attacker with network access and at least low-level SNMP credentials could exploit the bug to cause a denial-of-service (DoS) condition—or, under certain privilege levels, achieve arbitrary code execution with root access.
What makes CVE-2025-20352 particularly dangerous is that it affects any Cisco device with SNMP enabled, exposing a broad range of enterprise switches and routers that often form the backbone of internal IT networks. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that the flaw is being actively exploited in the wild, suggesting that attackers began leveraging it almost immediately after disclosure.
Trend Micro’s investigation revealed that Operation Zero Disco primarily focuses on older Cisco switch models—specifically the Catalyst 9400, 9300, and the legacy 3750G series. The attackers not only exploited the new SNMP vulnerability but also attempted to abuse a modified version of the CVE-2017-3881 Telnet vulnerability to gain arbitrary memory access. These dual exploits were then chained to install rootkits on older, Linux-based systems that lack modern Endpoint Detection and Response (EDR) protections. Once installed, these rootkits enable attackers to conceal malicious activity, evade detection tools, and maintain persistence even through administrative actions.
Trend Micro’s report notes that once a Cisco device is successfully infected, the malware implants a universal backdoor password that includes the word “disco”—a subtle play on “Cisco”—which the researchers believe serves as both a signature and a covert access credential. The malware then integrates itself deeply into the device’s operating environment by installing multiple hooks into the IOS daemon (IOSd). These hooks enable a range of fileless persistence mechanisms that allow the malicious components to vanish after a reboot, leaving minimal forensic traces.
Although newer Cisco models incorporate security features such as Address Space Layout Randomization (ASLR) to make memory exploitation more difficult, Trend Micro emphasizes that repeated intrusion attempts can still succeed. The attackers appear to use brute-force or incremental testing to adjust their payloads until they align with the randomized memory layout, indicating a high degree of technical sophistication.
During the forensic investigation, Trend Micro analysts uncovered multiple exploit variants for both 32-bit and 64-bit architectures. The campaign employs SNMP-based payloads to deploy fileless backdoors on 64-bit builds, while leveraging the Telnet flaw to perform arbitrary read/write operations in memory. Once foothold is established, the threat actors activate an UDP controller and an ARP spoofing tool from the Cisco shell, granting them the ability to manipulate traffic flows, erase logs, and bypass standard access controls. This effectively allows the attackers to operate invisibly within the compromised environment.
The tactics observed in Operation Zero Disco follow a structured and methodical progression. Attackers typically begin by targeting core switches within segmented enterprise networks—systems that are often isolated behind both external and internal firewalls. By exploiting default public SNMP communities (such as “public” or “private”) that remain unchanged on many network devices, they gain privileged access to critical switches. Once inside, they manipulate routing tables and VLAN configurations to create new paths between network segments. In some cases, the attackers impersonate a trusted “waystation” IP address, temporarily taking it offline through IP conflict to pass internal firewalls undetected. After the intrusion, they restore switch configurations and re-enable logs, effectively erasing evidence of compromise.
Once the Linux rootkit is deployed, the attackers achieve full remote command and control. The malware establishes a UDP listener on arbitrary ports, capable of receiving commands regardless of firewall port filtering. It also injects a volatile universal password into IOSd memory, valid across all authentication methods until the next reboot. This enables attackers to regain privileged access at any time without leaving a persistent user account. The rootkit further conceals its presence by hiding administrative accounts, Embedded Event Manager (EEM) scripts, and Access Control Lists (ACLs) from running configurations. It can also suppress or delete system logs and modify timestamps to make configuration changes appear legitimate.
Trend Micro’s analysis concludes that the campaign represents a significant evolution in network-layer persistence techniques, blending classic exploitation methods with modern evasion tactics. By focusing on infrastructure devices that often sit outside the visibility of conventional endpoint protection tools, the attackers behind Operation Zero Disco have found a way to persist within highly segmented networks for extended periods. The researchers warn that organizations running legacy Cisco hardware or outdated firmware remain particularly vulnerable, especially when SNMP services are exposed or misconfigured.
Cisco and Trend Micro have both published technical indicators and mitigation recommendations. Network administrators are urged to disable unnecessary SNMP services, apply firmware updates, and implement strict network segmentation to reduce potential attack surfaces. Trend Micro has made the Indicators of Compromise (IoCs) for Operation Zero Disco publicly available for defenders seeking to verify potential infections within their environments.
Access Indicators of Compromise (IoCs) documented by Tred Micro HERE
