Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that exploited a lately disclosed security flaw impacting Cisco IOS Software program and IOS XE Software program to deploy Linux rootkits on older, unprotected techniques.
The exercise, codenamed Operation Zero Disco by Pattern Micro, entails the weaponization of CVE-2025-20352 (CVSS rating: 7.7), a stack overflow vulnerability within the Easy Community Administration Protocol (SNMP) subsystem that might permit an authenticated, distant attacker to execute arbitrary code by sending crafted SNMP packets to a prone system. The intrusions haven’t been attributed to any identified risk actor or group.
The shortcoming was patched by Cisco late final month, however not earlier than it was exploited as a zero-day in real-world assaults.
“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G sequence units, with further makes an attempt to take advantage of a modified Telnet vulnerability (based mostly on CVE-2017-3881) to allow reminiscence entry,” researchers Dove Chiu and Lucien Chuang stated.
The cybersecurity firm additionally famous that the rootkits allowed attackers to attain distant code execution and acquire persistent unauthorized entry by setting common passwords and putting in hooks into the Cisco IOS daemon (IOSd) reminiscence area. IOSd is run as a software program course of throughout the Linux kernel.
One other notable facet of the assaults is that they singled out victims working older Linux techniques that would not have endpoint detection response options enabled, making it doable to deploy the rootkits with the intention to fly below the radar. As well as, the adversary is claimed to have used spoofed IPs and Mac e mail addresses of their intrusions.
In addition to CVE-2025-20352, the risk actors have additionally been noticed making an attempt to take advantage of a Telnet vulnerability that may be a modified model of CVE-2017-3881 in order to permit reminiscence learn/write at arbitrary addresses. Nevertheless, the precise nature of the performance stays unclear.
The identify “Zero Disco” is a reference to the truth that the implanted rootkit units a common password that features the phrase “disco” in it — a one-letter change from “Cisco.”
“The malware then installs a number of hooks onto the IOSd, which leads to fileless parts disappearing after a reboot,” the researchers famous. “Newer change fashions present some safety by way of Deal with House Format Randomization (ASLR), which reduces the success charge of intrusion makes an attempt; nonetheless, it must be famous that repeated makes an attempt can nonetheless succeed.”
