Cybersecurity researchers have recently revealed details of a new campaign that exploits a security vulnerability in Cisco’s IOS Software and IOS XE Software to deploy Linux rootkits. This initiative, named Operation Zero Disco by Trend Micro, utilizes the vulnerability associated with CVE-2025-20352 (which has a CVSS score of 7.7). This particular flaw is a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem, which allows authenticated remote attackers to execute arbitrary code by sending crafted SNMP packets to susceptible devices.
Although Cisco provided a patch for this vulnerability last month, it was exploited as a zero-day in ongoing real-world attacks. The installations primarily targeted older models including Cisco’s 9400, 9300, and legacy 3750G series devices. Additional attempts were reported to exploit a modified Telnet vulnerability linked to CVE-2017-3881, aimed at granting unauthorized memory access.
Trend Micro researchers Dove Chiu and Lucien Chuang indicated that the rootkits installed by the attackers enable remote code execution, allowing them persistent unauthorized access by setting universal passwords and modifying the IOS daemon’s memory space (IOSd). A notable aspect of these attacks is the targeting of older Linux systems without endpoint detection response solutions, allowing attackers to conceal the rootkit’s presence.
Remarkably, the rootkit incorporates a UDP controller component that allows it to listen for incoming UDP packets, manage log histories, set passwords, bypass authentication protocols, and disguise modifications made to configurations by altering timestamps. Attackers also used spoofed IPs and MAC addresses during their operations.
The name "Zero Disco" derives from the fact that the universal password set by the rootkit contains the term "disco," which is just one letter off from "Cisco." While newer switch models come equipped with protections like Address Space Layout Randomization (ASLR) to mitigate exploitation chances, it is important to note that repeated attempts could still succeed.
For more information, see the original report on Trend Micro or the vulnerability CVE details here.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
