Hackers exploit Cisco SNMP flaw CVE-2025-20352 in “Zero Disco” attacks to deploy Linux rootkits on outdated systems, researchers report.Trend Micro researchers disclosed details of a new campaign, tracked as Operation Zero Disco, that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems.The vulnerability, tracked as CVE-2025-20352 (CVSS score: 7.7), impacts Cisco IOS and IOS XE Software. The high-severity vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and IOS XE Software.The flaw allows remote authenticated attackers to trigger a DoS condition with low privileges or achieve root code execution with high privileges. An attacker could exploit the flaw by sending a crafted SNMP packet to a vulnerable device over IPv4 or IPv6 networks. The root cause of this vulnerability is a stack overflow condition in the SNMP subsystem of the affected software. The vulnerability impacts all devices with SNMP enabled.The company’s Product Security Incident Response Team (PSIRT) is aware of attacks in the wild exploiting this vulnerability.Operation Zero Disco mainly targeted Cisco 9400, 9300, and legacy 3750G devices, also attempting to exploit a modified Telnet flaw (from CVE-2017-3881) for memory access. The campaign focused on older Linux systems lacking EDR protection, deploying rootkits to conceal malicious activity and evade detection. “Trend investigation revealed that once a Cisco device has a rootkit implanted, the malware sets a universal password that includes the word “disco” in it, which Trend Research believes is a one-letter change from Cisco. The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot.” reads the report published by Trend Micro. “Newer switch models provide some protection via Address Space Layout Randomization (ASLR) which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.”Trend Micro’s investigation recovered multiple exploits used in the campaign against Cisco devices (32- and 64-bit). Threat actors abused SNMP exploits to install rootkits (fileless backdoors on 64-bit builds), and used a Telnet exploit to enable arbitrary memory read/write. Attackers used an UDP controller and an ARP spoofing tool to run the implants. They could delete logs, hide changes, bypass access controls, enable a backdoor password, keeping attackers hidden and persistent.Attackers target core switches in a segmented network protected by external and internal firewalls. They exploit default public SNMP on switches to gain privileged access. With switch access they add routing rules to reach other VLANs. They then impersonate a waystation IP to bypass the internal firewall. To do this, attackers disable switch logging, assign the waystation IP to a core-port, and run an ARP-spoofing tool from the Cisco shell. The real waystation goes offline from the IP conflict. Once inside the protected zone, they restore switch settings and re-enable logs to hide their activity. Real incidents often follow the same pattern but with greater complexity.Upon installing the rootkit, attackers gain remote control and link two VLANs to move laterally. It opens a UDP listener on any port/IP (the port need not be open) to receive commands. The rootkit injects a volatile universal password into IOSd memory that works across authentication methods until reboot. It can hide accounts, EEM scripts, and ACLs from the running config, bypass VTY ACLs, disable or erase logs, and reset the last config-write timestamp to cover changes.Trend Micro published Indicators of Compromise (IoCs) here. Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Zero Disco)