Hackers Exploit Cisco SNMP Flaw to Deploy Rootkit on Switches

An Anonymous Coward writes:

https://www.bleepingcomputer.com/news/security/hackers-exploit-cisco-snmp-flaw-to-deploy-rootkit-on-switches/
https://archive.ph/crr3o

Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices to deploy a Linux rootkit and gain persistent access.

The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.

According to cybersecurity company Trend Micro, the attacks targeted Cisco 9400, 9300, and legacy 3750G series devices that did not have endpoint detection response solutions.

In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company's Product Security Incident Response Team (PSIRT) saying it was "aware of successful exploitation."

Trend Micro researchers track the attacks under the name 'Operation Zero Disco' because the malware sets a universal access password that contains the word "disco."

The report from Trend Micro notes that the threat actor also attempted to exploit CVE-2017-3881, a seven-year-old vulnerability in the Cluster Management Protocol code in IOS and IOS XE.

The rootkit planted on vulnerable systems features a UDP controller that can listen on any port, toggle or delete logs, bypass AAA and VTY ACLs, enable/disable the universal password, hide running configuration items, and reset the last write timestamp for them.

In a simulated attack, the researchers showed that it is possible to disable logging, impersonate a waystation IP via ARP spoofing, bypass internal firewall rules, and move laterally between VLANs.

Read more of this story at SoylentNews.