Security teams got a rude reminder this month where older, unpatched Cisco switches are being actively targeted and backdoored with a Linux rootkit in a campaign Trend Micro has named Operation ZeroDisco. If you manage campus or branch network gear, especially older 9400/9300/3750G-series hardware, read this now — the attackers are using a recent SNMP zero‑day plus a reused Telnet exploit to get persistent, stealthy access.
What the attackers are exploiting
Vulnerability: CVE‑2025‑20352 (CVSS 7.7), a stack‑overflow bug in SNMP on Cisco IOS / IOS XE. Cisco released a patch in late September after confirming in‑the‑wild exploitation.
Secondary exploit: A modified exploit for CVE‑2017‑3881 (a Telnet RCE) that the adversary uses to read/write memory on affected devices.
Targets: Older Linux‑based devices (Trend Micro observed Cisco 9400, 9300 and legacy 3750G models).
Campaign name: Operation ZeroDisco, the malware sets a universal password containing the text “disco” (one-letter change from “Cisco”), hence the name.
How the attack works (high level)
On 32‑bit devices the attackers send malicious SNMP packets to execute commands and use the Telnet exploit to obtain arbitrary memory read/write.
On 64‑bit devices they deploy a rootkit via the SNMP bug, set the universal “disco” password in memory, then log in and install a fileless backdoor. They can also connect different VLANs to move laterally.
The rootkit monitors UDP packets (even to closed ports) so specific packets can trigger backdoor functionality. It also tampers with IOSd memory to:
- install the universal password across many auth methods,
- hide running‑config items in memory,
- bypass ACLs applied to VTY,
- disable or tamper with log history,
- reset running‑config timestamps to conceal changes.
Why this is bad
This isn’t just a noisy DoS exploit it’s a stealthy, persistent compromise that actively hides from blue teams. Because the malware modifies device memory and running config in ways that don’t always show in persistent storage, standard checks can miss it. Trend Micro warns there’s currently no reliable universal automated tool to detect ZeroDisco infections across switches.
Add a Comment