Attackers exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on affected switches and install a Linux-style rootkit that grants persistent, privileged access. The compromise sets a universal password containing the string “disco,” injects hooks into the IOSd process so some components are fileless and vanish after reboot, and includes a UDP-based controller that can toggle or erase logs, bypass AAA and VTY ACLs, conceal running-config changes, and reset configuration timestamps to hide tampering. The campaign targeted older and mid-life devices—notably Cisco 9400, 9300 and legacy 3750G series—and also leveraged a modified Telnet exploit to enable memory read/write on certain builds.

Once a core switch is controlled, attackers can perform ARP spoofing and IP impersonation to bypass internal firewalls and pivot into protected VLANs, enabling lateral movement to critical zones. Newer platforms with ASLR reduce but do not eliminate exploitation success, while repeated attempts can overcome mitigations. The operation combines multi-stage SNMP exploits, auxiliary Telnet memory abuses, and network-level tools to maximize stealth and persistence, turning compromised network infrastructure into a covert platform for broader access and data manipulation.

‍

Source: https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html