Older Cisco network devices that have not been patched against a recently discovered zero-day vulnerability are being infected with a rootkit as part of a new malicious campaign, experts at Trend Micro warn.
The vulnerability CVE-2025-20352 (7.7 on the CVSS scale) was fixed in late September 2025, and at the time Cisco warned that the issue was already being exploited in real-world attacks.
According to the developers, this vulnerability is present in all supported versions of Cisco IOS and Cisco IOS XE — the operating system that runs on a wide range of the company’s networking equipment. The issue can be exploited by low-privileged users for DoS attacks or by high-privileged users to execute arbitrary code with root privileges.
The vulnerability is caused by a stack overflow in an IOS component responsible for handling SNMP (Simple Network Management Protocol)—a protocol that routers and other equipment use to collect and process information about devices on the network. To exploit the issue, an attacker only needs to send specially crafted SNMP packets over IPv4 or IPv6.
To execute malicious code, a remote attacker will need a read-only community string—an SNMP-specific form of authentication for accessing managed devices. The attacker will also need to have privileges on the vulnerable system, after which they can achieve remote code execution with root privileges.
To carry out a denial-of-service attack, the attacker only needs a read-only community string or valid SNMPv3 user credentials.
In general, leaving SNMP devices accessible over the internet is considered bad practice. However, at the end of September it was reported that the Shodan search engine detects more than 2 million such devices accessible worldwide.
Trend Micro now reports that a hacker group is exploiting CVE-2025-20352 to deploy a rootkit on older devices, including the Cisco 9400, 9300, and the legacy 3750G series.
The attacks target victims with legacy Linux systems that lack EDR solutions. The attackers deploy Linux rootkits on such systems to conceal their activity and evade detection.
This campaign was dubbed Operation ZeroDisco because the malware sets a universal password that contains the word “disco”.
In addition to CVE-2025-20352, the hackers used a modified exploit for the old issue CVE-2017-3881 — a Telnet RCE bug that allows reading from and writing to memory.
Against 32-bit systems, the attackers used malicious SNMP packets that sent commands to vulnerable devices, and also relied on a Telnet exploit to gain read/write access to memory.
Against 64-bit systems, the hacking group used an SNMP exploit to deploy a rootkit, then logged in using a universal password and deployed a fileless backdoor. The attackers also leveraged different VLANs for lateral movement.
As Trend Micro explains, the rootkit monitors UDP packets sent to any port on the device (even a closed one), allowing attackers to configure or trigger backdoor functions. The malware also modifies IOSd memory to set a universal password that works with most authentication methods.
It is specifically noted that after deploying the rootkit, the malware “installs several hooks in IOSd, which causes the fileless components to disappear after a reboot.”
The malware also hides running-config elements in memory, allows bypassing ACLs for VTY (a virtual interface on a Cisco device used for remote access), can disable log history, and resets running-config timestamps to conceal changes.
“At present, there is no universal automated tool that can reliably determine whether a Cisco device was successfully compromised as part of the ZeroDisco operation. If you suspect your switch has been affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level examination of the firmware, ROM, and boot areas,” Trend Micro notes.