Threat researchers at Trend Micro have documented Operation ZeroDisco, a targeted campaign abusing the recently patched but widely exploited CVE-2025-20352 in Cisco IOS and IOS XE. The operators focus on legacy and unpatched network switches and routers, including the Cisco 9400, 9300, and 3750G series, to deploy a stealthy rootkit and maintain long-term access in enterprise environments with limited detection tooling.
CVE-2025-20352 in Cisco IOS/IOS XE: impact and exploitation path
The flaw carries a CVSS score of 7.7 and was addressed by Cisco in late September 2025 across supported IOS/IOS XE releases. According to Cisco’s advisory, the issue stems from a stack overflow in the SNMP (Simple Network Management Protocol) processing logic. Crafted SNMP packets over IPv4 or IPv6 can trigger DoS conditions at lower privilege levels and enable RCE with root privileges when additional access is present.
Practically, possession of a read-only community string (or valid SNMPv3 credentials) lowers the bar for denial-of-service attempts. With further privilege escalation, attackers can execute arbitrary code. Cisco’s PSIRT has confirmed in-the-wild exploitation, highlighting the urgency of remediation.
Internet-exposed SNMP dramatically raises risk
Exposing SNMP to the public internet remains poor operational hygiene. As a data point underscoring scale, Shodan indexed over 2 million SNMP-exposed devices globally in late September 2025, substantially increasing the likelihood of opportunistic and targeted exploitation attempts.
Operation ZeroDisco TTPs: initial access, rootkit, and persistence
Trend Micro reports the operators preferentially target environments lacking modern EDR or robust telemetry. Intrusions frequently feature a “universal password” containing the string “disco”, which informs the campaign’s name. Initial access chains are not limited to CVE-2025-20352; the group also employs a modified exploit for the legacy CVE-2017-3881 Telnet RCE (with memory read/write capabilities).
On 32-bit systems, attackers deliver malicious SNMP traffic and leverage the Telnet exploit to interact with device memory. On 64-bit systems, the SNMP exploit is used to bootstrap a rootkit, after which the universal password facilitates access and a fileless backdoor is established. Lateral movement has been observed across segmented environments using separate VLANs, indicating an understanding of network boundaries and trust zones.
Inside the IOS/IOS XE rootkit: covert command and control and configuration tampering
The rootkit monitors UDP traffic sent to any device port—including closed ports—to receive covert commands for backdoor control. It modifies IOSd memory to insert a universal password that aligns with common authentication mechanisms and hooks into IOSd internals. Some fileless components are designed to vanish after a reboot, complicating forensic analysis and hindering simple “reboot to clean” recovery assumptions.
To reduce visibility, the malware can hide running-config entries in memory, bypass VTY ACLs, disable logging, and reset configuration timestamps, thereby masking operator actions and slowing incident response. These behaviors are consistent with long-term operational objectives and supply chain interdiction tactics seen in prior network infrastructure compromises reported by multiple vendors.
Risk assessment and actionable defenses
There is currently no universal, automated indicator set that reliably detects every instance of Operation ZeroDisco. Trend Micro advises organizations with suspected compromise to engage Cisco TAC promptly for low-level inspection of firmware, ROM, and boot regions—areas that often fall outside routine operational monitoring.
Recommended mitigations include:
- Patch immediately to the Cisco updates released in late September 2025 for all affected IOS/IOS XE builds.
- Restrict or disable SNMP exposure to the internet: enforce ACLs/firewalls, prefer SNMPv3, and confine management to dedicated VLAN/VRF segments.
- Disable Telnet entirely; use SSH with MFA and strict source ACLs.
- Continuously verify running-config integrity, reconcile timestamp anomalies, and alert on unusual UDP flows to arbitrary or closed ports.
- Enhance network and device logging; deploy EDR/behavioral telemetry for IOS XE’s Linux components and adjacent management hosts.
- Harden identity: minimize admin roles, enforce unique long passwords, and rotate SNMP and administrative credentials regularly.
Operation ZeroDisco illustrates how a vulnerable SNMP surface, legacy services like Telnet, and insufficient segmentation combine into a high-consequence threat to core network infrastructure. Organizations should compress the exposure window for CVE-2025-20352 through rapid patching, reduce attack surface, and implement layered controls—segmentation, stringent ACLs, rigorous change control, and comprehensive monitoring. Coordinated forensic readiness with the vendor materially increases the odds of early detection and effective eradication.
