Operation Zero Disco: Exploitation of Cisco SNMP Vulnerability for Rootkit Deployment

CVE-2025-20352

CVE-2017-3881

Operation Zero Disco

SNMP (Simple Network Management Protocol)

Telnet

• Targeting both 32-bit and 64-bit Cisco platforms, including legacy models like the 3750G.

• Installing fileless rootkits that provide persistent, stealthy access.

• Bypassing authentication and logging mechanisms, making detection extremely difficult.

• Using a UDP-based controller to manage infected devices covertly.

CVE-2025-20352

• CVSS Score: 7.7 (High)
• EPSS: 0.57%
• Vulnerability Type: Remote Code Execution
• Affected Systems: Cisco IOS XE (32-bit & 64-bit), especially models: 9400, 9300, 3750G

CVE-2017-3881

• CVSS Score: 10.0 (Critical)
• EPSS: 94.02%
• Vulnerability Type: Remote Code Execution
• Affected Systems: Cisco IOS and IOS XE software

legacy Cisco switches

• Persistent Unauthorized Access: Attackers maintain long-term access through memory-resident rootkits.

• Network Segmentation Bypass: VLAN manipulation allows threat actors to cross network boundaries.

• Stealth Reconnaissance and Espionage: Log manipulation and in-memory execution provide near-invisible operational cover.

• Traffic Hijacking and ARP Spoofing: Enables data interception and redirection within internal networks.

• Security Tool Evasion: Fileless execution bypasses most signature-based AV/EDR tools.

• Attackers exploited the SNMP service using CVE-2025-20352.

• The SNMP service was often left exposed with default “public” community strings, making it an easy entry point.

• Malicious SNMP packets were sent to the device, each carrying a fragment of a shell command due to SNMP payload size limits.
  
  
  Example: A captured packet contained the command $(ps -a.
  
  
  
  
  
  Full commands were reconstructed from multiple packets.
  
  
  

• On 32-bit devices (e.g., 3750G):
  
  
  The SNMP exploit allowed remote code execution (RCE).
  
  
  
  
  
  A Linux rootkit was installed to maintain persistence and evade detection.
  
  
  

• On 64-bit devices (e.g., 9300/9400):
  
  
  Required level 15 privilege to access the guest shell.
  
  
  
  
  
  Once inside, attackers used a universal password (containing “disco”) to gain access.
  
  
  
  
  
  A fileless rootkit was deployed via the guest shell.
  
  
  

• Logging Bypass:
  
  
  A variant of the SNMP exploit could disable trace logging without using mmap.
  
  
  
  
  
  Only a few memory addresses were needed to achieve RCE.
  
  
  

• Telnet Exploit:
  
  
  A modified version of CVE-2017-3881 was used to allow arbitrary memory read/write.
  
  
  
  
  
  Full capabilities are still under investigation.
  
  
  

• A UDP-based controller was deployed to manage the rootkit.

• The controller could:
  
  
  Toggle or delete logs.
  
  
  
  
  
  Bypass AAA authentication and VTY ACLs.
  
  
  
  
  
  Enable/disable the universal password.
  
  
  
  
  
  Hide configuration changes (e.g., accounts, ACLs, EEM scripts).
  
  
  
  
  
  Reset configuration timestamps to hide modifications.
  
  
  

• Attackers used ARP spoofing to impersonate trusted devices (e.g., waystations).

• This allowed them to bypass internal firewalls and move laterally across VLANs.

• The ARP spoofing tool was a Linux ELF binary executed via the guest shell.

• Universal Password Injection: Hooks low-level auth to allow access across all login methods.

• Log Manipulation: Can disable or delete logs, making detection difficult.

• Configuration Cloaking: Hides specific ACLs, accounts, and scripts from running-config.

• VTY ACL Bypass: Ignores access control lists on virtual terminal lines.

• UDP Controller: Used to manage the rootkit remotely, even without open ports.

Operation Zero Disco

• TA0001 – Initial Access: Exploitation of SNMP vulnerability for RCE.

• TA0002 – Execution: Arbitrary code execution via buffer overflow in SNMP daemon.

• TA0003 – Persistence: Fileless rootkit modifies IOSd memory; sets a universal password containing the word “disco”.

• TA0005 – Defense Evasion: Attackers disable logging, hide configuration changes, and bypass AAA and VTY ACLs.

• TA0008 – Lateral Movement: VLAN routing manipulation and ARP spoofing to move laterally across networks.

• TA0011 – Command & Control: Use of a UDP-based controller that operates without explicit open ports.

• Hidden Accounts: e.g., dg3y8dpk, dg4y8epk, etc.

• Hidden ACLs: e.g., EnaQWklg0, EnaQWklg1

• EEM Scripts: CiscoEMX-1 to CiscoEMX-5

• Suspicious UDP Payloads: Used for rootkit control.

• ARP Spoofing Tools: ELF binaries running in guest shell.

immediate action

1. Patch All Affected Devices
   Apply Cisco’s patch for CVE-2025-20352 without delay. Check PSIRT advisory for firmware updates.

1. Restrict SNMP Access
   Limit SNMP to secure, authenticated community strings and only allow from trusted management subnets.

1. Segment Legacy Devices
   Isolate legacy switches that can’t be patched immediately and monitor them closely for anomalies.

1. Audit Network Configuration
   Look for unexpected routing rules, ACL changes, or hidden configuration segments on core switches.

1. Engage Cisco TAC for Firmware Integrity Checks
   Cisco TAC can assist with forensic inspection of switch memory and persistent changes.

1. Deploy Threat Detection & Virtual Patching
   Use Trend Micro Cloud One Network Security and Deep Discovery Inspector to detect SNMP anomalies and apply virtual patches.

Saner patch management

here