Cybersecurity researchers have revealed details of a new campaign that exploits recently disclosed security flaws affecting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems.
Activities called by code names operation zero disco This attack by Trend Micro involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. This intrusion was not caused by any known attacker or group.
The flaw was fixed by Cisco late last month, but not before it was exploited as a zero-day attack in the wild.
“This operation primarily affected Cisco 9400, 9300, and legacy 3750G series devices. There was also an attempt to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to gain memory access,” researchers Dove Chiu and Lucien Chuang said.
The cybersecurity firm also noted that the rootkit allowed attackers to remotely execute code and gain permanent unauthorized access by setting a universal password and installing hooks in the Cisco IOS daemon (IOSd) memory space. IOSd runs as a software process within the Linux kernel.
Another notable aspect of this attack was that it identified victims running older Linux systems without endpoint detection and response solutions enabled, allowing them to fly under the radar and deploy the rootkit. Additionally, the attackers allegedly used spoofed IPs and Mac email addresses for the breach.
Rootkits are commanded by a UDP controller component that acts as a listener for incoming UDP packets on any port and can toggle or disable log history, modify IOSd memory to create a universal password, bypass AAA authentication, hide certain parts of the running configuration, and change timestamps to hide changes made to the configuration to give the impression that no changes have been made.
In addition to CVE-2025-20352, attackers have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 to allow memory read/write at arbitrary addresses. However, the exact nature of the function remains unclear.
The name “Zero Disco” comes from the fact that the embedded rootkit sets a universal password containing the word “disco”, which is “Cisco” with one letter changed.
“The malware then installs several hooks on IOSd, which results in the fileless component disappearing after a reboot,” the researchers note. “The new switch model provides some protection through Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts. However, be aware that repeated attempts may still be successful.”
