A new attack campaign, dubbed Operation Zero Disco by Trend Micro , exploits a vulnerability in Cisco’s Simple Network Management Protocol (SNMP) to install rootkits on network devices. The vulnerability, registered as CVE-2025-20352, was confirmed by Cisco in early October as an actively exploited zero-day.
The flaw affects Cisco IOS and IOS XE and allows remote code execution when an attacker has root privileges. According to Cisco’s Product Security Incident Response Team (PSIRT), the company was already aware of successful exploitation before a patch was released. Older, unprotected switches from the 9400, 9300, and 3750G series are particularly vulnerable.
Trend Micro describes how attackers exploit the vulnerability to embed a Linux rootkit in the switch’s IOSd process. The malware adds a universal password containing the word disco, a reference to the manufacturer, and provides persistent access to the system. Once installed, the rootkit places several hooks in the IOSd memory, allowing logs to be manipulated, configurations to be hidden, and authentication checks to be bypassed.
The research team recovered both 32-bit and 64-bit versions of the exploit. The variant for 64-bit devices requires access to the guest shell with administrator privileges (level 15), but then provides complete control over the system. In both cases, the attack is carried out via the SNMP process. The exploit can also be combined with a second vulnerability, CVE-2017-3881, an older leak in the Cluster Management Protocol code that is modified in this campaign to read and write memory.
Hidden UDP controller
After successful exploitation, the rootkit installs a hidden UDP controller. This can listen on any port, regardless of whether it is open. Through this channel, attackers can delete log history and bypass AAA and VTY access rules. They can also hide parts of the configuration and modify timestamps to cover their tracks. Trend Micro shows a simulation of how an attacker can use this control to perform ARP spoofing, imitate a control station, and then bypass internal firewall rules to move laterally between VLAN segments.
Although newer Cisco switches are more resistant to these types of attacks thanks to Address Space Layout Randomization (ASLR), this technique does not rule out successful exploitation. With repeated attempts, an attacker can still discover the necessary memory addresses.
Cisco collaborated on the research by providing forensic data and impact analyses. However, there is currently no reliable automated tool to determine whether a device is actually infected.
The security company also recommends changing SNMP community strings to public. It also recommends disabling Telnet access and deploying intrusion prevention systems. Trend Micro products such as Vision One and Cloud One Network Security could recognize the traffic and commands from the UDP controller.