Threat actors exploited a zero-day remote code execution (RCE) vulnerability (**CVE-2025-20352**) in older, unpatched Cisco networking devices (9400, 9300, and legacy 3750G series) to deploy a **Linux rootkit** named *Operation Zero Disco*. The rootkit grants persistent access, allows log manipulation, bypasses authentication (AAA/VTY ACLs), and enables lateral movement across VLANs via ARP spoofing. Attackers also attempted to exploit **CVE-2017-3881**, a 7-year-old flaw in Cisco’s Cluster Management Protocol. The malware installs fileless hooks into the IOSd process, disappearing after reboots, and leaves no reliable detection method—requiring low-level firmware/ROM analysis for confirmation. While newer switches have partial ASLR protections, sustained targeting could still compromise them. The attack risks **unauthorized network control, data exfiltration, and lateral expansion** within corporate or critical infrastructure environments. No public reports confirm data theft, but the rootkit’s capabilities enable stealthy, long-term persistence for future exploits. Trend Micro warns that compromised devices may serve as launchpads for broader attacks, though no direct financial, reputational, or operational damages (e.g., outages, data leaks) were explicitly documented in the article.
TPRM report: https://www.rankiteo.com/company/cisco-talos-intelligence-group
"id": "cis4802448101725",
"linkid": "cisco-talos-intelligence-group",
"type": "Vulnerability",
"date": "6/2017",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'networking hardware/software',
'location': 'global',
'name': 'Cisco Systems, Inc.',
'size': 'large enterprise',
'type': 'corporation'}],
'attack_vector': ['exploitation of public-facing application (SNMP)',
'privilege escalation',
'fileless malware',
'UDP-based command-and-control'],
'customer_advisories': ['Cisco recommends patching and monitoring for '
'suspicious UDP/SNMP activity'],
'date_publicly_disclosed': '2024-10-06',
'description': 'Threat actors exploited a recently patched remote code '
'execution vulnerability (CVE-2025-20352) in older, '
'unprotected Cisco networking devices (Cisco 9400, 9300, and '
'legacy 3750G series) to deploy a Linux rootkit and gain '
"persistent access. The rootkit, dubbed 'Operation Zero "
"Disco,' features a UDP controller capable of toggling logs, "
'bypassing security controls, and enabling lateral movement. '
'The attacks also attempted to exploit CVE-2017-3881, a '
"seven-year-old vulnerability in Cisco's Cluster Management "
'Protocol. The rootkit is fileless, disappearing after reboot, '
'and no reliable detection tool currently exists for '
'compromised switches.',
'impact': {'brand_reputation_impact': ['potential erosion of trust in Cisco '
'device security'],
'operational_impact': ['persistent unauthorized access',
'bypassed logging and AAA/VTY ACLs',
'lateral movement across VLANs',
'potential for ARP spoofing and firewall '
'rule bypass'],
'systems_affected': ['Cisco 9400 series switches',
'Cisco 9300 series switches',
'Cisco 3750G series switches (legacy)']},
'initial_access_broker': {'backdoors_established': ['Linux rootkit with UDP '
'controller',
"universal 'disco' "
'password',
'fileless hooks in IOSd '
'process'],
'entry_point': ['SNMP service (CVE-2025-20352)',
'Cluster Management Protocol '
'(CVE-2017-3881)'],
'high_value_targets': ['networking infrastructure '
'(switches)',
'lateral movement across '
'VLANs']},
'investigation_status': 'ongoing (no reliable detection method; manual '
'firmware analysis required)',
'lessons_learned': ['Legacy Cisco devices without ASLR remain highly '
'vulnerable to RCE exploits even after patches are '
'available.',
'Fileless rootkits can persist undetected across reboots, '
'complicating forensic investigations.',
'SNMP and UDP-based attacks can bypass traditional '
'security controls (e.g., firewalls, ACLs).',
'Lack of EDR/XDR solutions on networking devices creates '
'blind spots for defenders.'],
'post_incident_analysis': {'corrective_actions': ['Accelerate patch '
'deployment for Cisco '
'IOS/IOS XE devices.',
'Implement network '
'segmentation to limit '
'blast radius.',
'Develop custom detection '
'rules for UDP/SNMP-based '
'rootkit C2 traffic.',
'Replace end-of-life '
'devices (e.g., 3750G '
'series) lacking modern '
'protections like ASLR.'],
'root_causes': ['Unpatched vulnerabilities '
'(CVE-2025-20352, CVE-2017-3881) '
'in legacy Cisco devices.',
'Lack of EDR/XDR coverage for '
'networking hardware.',
'Insufficient monitoring of SNMP '
'and UDP traffic for anomalies.',
'Fileless malware evading '
'traditional detection '
'mechanisms.']},
'recommendations': ['Immediately patch CVE-2025-20352 and CVE-2017-3881 on '
'all Cisco IOS/IOS XE devices.',
'Deploy EDR/XDR solutions capable of monitoring '
'networking devices for anomalous behavior.',
'Segment networks to limit lateral movement via VLANs.',
'Monitor SNMP and UDP traffic for signs of exploitation '
'(e.g., unexpected port listening, log tampering).',
'Conduct low-level firmware/ROM investigations if '
'compromise is suspected (no reliable detection tools '
'exist).',
'Replace or reimage devices confirmed to be compromised '
'due to fileless persistence.',
'Disable SNMP or restrict it to trusted management '
'networks if not critically needed.'],
'references': [{'date_accessed': '2024-10-06',
'source': 'Cisco PSIRT Advisory for CVE-2025-20352',
'url': 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-snmp-rce-20352'},
{'date_accessed': '2024-10-06',
'source': "Trend Micro Research: 'Operation Zero Disco'",
'url': 'https://www.trendmicro.com/en_us/research/24/j/operation-zero-disco-exploiting-cisco-zero-day.html'},
{'date_accessed': '2024-10-06',
'source': 'Indicators of Compromise (IoCs) for Operation Zero '
'Disco',
'url': 'https://www.trendmicro.com/en_us/what-is/indicators-of-compromise-ioc.html'}],
'response': {'communication_strategy': ['Cisco PSIRT bulletin (updated '
'October 6)',
'Trend Micro research report'],
'containment_measures': ['low-level firmware and ROM region '
'investigation recommended for '
'suspected compromises'],
'enhanced_monitoring': ['recommended for SNMP and UDP traffic '
'anomalies'],
'incident_response_plan_activated': True,
'remediation_measures': ['patching CVE-2025-20352 and '
'CVE-2017-3881',
'replacing or reimaging compromised '
'devices (due to fileless persistence)'],
'third_party_assistance': ['Trend Micro (investigation and '
'analysis)']},
'stakeholder_advisories': ['Cisco PSIRT bulletin',
'Trend Micro technical report'],
'title': 'Exploitation of CVE-2025-20352 in Cisco Networking Devices via '
"'Operation Zero Disco'",
'type': ['unauthorized access',
'remote code execution (RCE)',
'rootkit deployment',
'lateral movement',
'persistence'],
'vulnerability_exploited': ['CVE-2025-20352 (SNMP RCE in Cisco IOS/IOS XE)',
'CVE-2017-3881 (Cluster Management Protocol RCE '
'in Cisco IOS/IOS XE)']}