Listen to this Post

Cybersecurity researchers have uncovered a highly sophisticated attack campaign targeting critical network infrastructure. Dubbed “Operation Zero Disco”, this campaign exploits a newly disclosed vulnerability in Cisco’s Simple Network Management Protocol (SNMP) to deploy stealthy Linux rootkits on switches. By focusing on older devices and leveraging multiple evasion techniques, attackers gain persistent, near-undetectable access to enterprise networks, putting corporate operations and sensitive data at serious risk.
Critical Vulnerability in Cisco SNMP Enables Remote Exploitation
The campaign leverages CVE-2025-20352, a critical vulnerability affecting Cisco’s SNMP implementation on both 32-bit and 64-bit switch builds. This flaw allows attackers to execute remote code on vulnerable devices, effectively granting a backdoor into corporate networks. Its impact is amplified by the fact that many SNMP services use default community strings like “public,” making exploitation relatively easy for anyone with network access. Trend Micro’s telemetry shows that the campaign specifically targets Cisco 9400, 9300, and legacy 3750G series switches. While newer models incorporate security features like Address Space Layout Randomization (ASLR), attackers can still bypass protections through repeated exploitation attempts.
Advanced Rootkit Deployment and Persistent Access
After exploiting the SNMP vulnerability, attackers deploy a complex rootkit that embeds itself deeply in the device’s IOSd memory. The malware creates a universal password containing “disco”, enabling cross-method authentication across AAA, local login, and enable password systems. Key persistence techniques include:
Fileless components that survive device reboots.
Hooks that disable logging, hiding malicious activities.
A UDP controller that operates without needing open ports, allowing attackers to manipulate log histories, bypass authentication, and conceal configuration changes.
This level of control enables attackers to essentially take over network switches, modify configurations silently, and maintain undetected access for prolonged periods.
Network Infiltration and Evasion Techniques
Operation Zero Disco also demonstrates sophisticated lateral movement strategies:
VLAN routing manipulation bridges segmented network zones.
IP spoofing of trusted hosts allows firewall bypass.
ARP spoofing embedded in Cisco guest shells hijacks network traffic and disrupts legitimate devices.
The rootkit can hide specific configuration items, including account names, Embedded Event Manager (EEM) scripts, and Access Control Lists (ACLs). Trend Micro identified hidden accounts like “dg3y8dpk” through “dg7y8hpk” and concealed ACLs named “EnaQWklg0” to “EnaQWklg2.” Attackers also attempt to exploit a modified version of CVE-2017-3881, a known Telnet vulnerability, to read and write arbitrary memory, though full exploitation details are still under investigation.
Indicators of Compromise and Defense Strategies
Organizations can detect potential compromises using Trend Micro’s Cloud One Network Security and Deep Discovery solutions, which include detection rules for SNMP exploits (rule 46396) and UDP controller communications (rules 5497 and 5488). However, no automated tool currently guarantees detection of infected Cisco switches, requiring manual verification with Cisco Technical Assistance Center support.
What Undercode Say:
Operation Zero Disco represents a new paradigm in network-targeted attacks, blending old vulnerabilities with modern evasion techniques. Several points emerge from this analysis:
Legacy Infrastructure Risk: Older switch models, especially the 3750G series, are inherently vulnerable. Organizations still using legacy infrastructure face elevated risk without robust monitoring.
Cross-Layer Exploitation: By combining SNMP vulnerabilities with Telnet exploits, attackers achieve multi-vector access. This dual-layer attack method complicates detection, as traditional network monitoring tools may miss the full chain of compromise.
Persistence and Stealth: The rootkit’s ability to hook into authentication systems, disable logging, and survive reboots demonstrates advanced persistence. Attackers can maintain long-term access with minimal footprint, a nightmare scenario for IT teams.
Network Segmentation Bypass: VLAN bridging, ARP spoofing, and IP impersonation allow attackers to move laterally across network segments. Enterprises that rely solely on segmentation without inspecting internal traffic may have a false sense of security.
Complex Detection Requirements: Manual investigation remains crucial. Automated detection is limited, meaning organizations must combine endpoint monitoring, network telemetry, and vendor support to mitigate risk.
Operational Impact: Beyond data theft, this attack can disrupt enterprise operations by manipulating VLAN routing or taking devices offline. The attack could impact high-availability systems or cloud integrations if core switches are compromised.
Cyber Hygiene Implications: Default SNMP credentials, outdated devices, and incomplete patching remain primary enablers. This campaign highlights that operational oversight—keeping devices updated and configured securely—is as important as technical defenses.
Strategic Response: Enterprises must adopt layered defenses, including anomaly detection for unusual device activity, real-time log monitoring, and strict access control policies. Incident response plans should anticipate attacks that bypass traditional network security controls.
Future Threats: Attackers are likely to adapt these techniques to other network devices and vendors. SNMP vulnerabilities and rootkit-based persistence are not limited to Cisco, indicating broader implications for critical network infrastructure.
Global Enterprise Implications: Companies with mixed legacy and modern networks must conduct comprehensive audits. Those that fail to proactively identify vulnerable devices may face prolonged, stealthy compromises.
🔍 Fact Checker Results
✅ CVE-2025-20352 exists and allows remote code execution on affected Cisco switches.
✅ Trend Micro confirmed exploitation of 9400, 9300, and 3750G devices.
❌ There is currently no universal automated detection tool for identifying compromised Cisco switches.
📊 Prediction
⚠️ Attackers are likely to expand Operation Zero Disco techniques to newer Cisco models and other vendors.
📈 Enterprises will see increased demand for proactive network monitoring, AI-based anomaly detection, and security audits of legacy infrastructure.
💡 Organizations that patch SNMP vulnerabilities, rotate default credentials, and adopt multi-layer defenses will significantly reduce risk exposure.
This campaign signals a turning point in network security: legacy infrastructure is no longer just outdated—it can be a persistent, strategic target for highly skilled adversaries.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




