Older Cisco gadgets unpatched in opposition to a latest zero-day vulnerability have been contaminated with a rootkit in a brand new marketing campaign, Development Micro stories.
The exploited defect, tracked as CVE-2025-20352 (CVSS rating of seven.7), was patched in late September, when Cisco warned of its in-the-wild exploitation.
Described as a stack overflow situation within the Easy Community Administration Protocol (SNMP) of IOS and IOS XE gadgets, the bug permits low-privileged attackers to trigger a denial-of-service (DoS) situation and may be exploited by high-privileged attackers for distant code execution (RCE).
Now, Development Micro says it has noticed a menace actor exploiting the vulnerability to deploy a rootkit on older, weak gadgets, together with Cisco 9400, 9300, and legacy 3750G collection gadgets.
“The operation focused victims working older Linux methods that don’t have endpoint detection response options, the place they deployed Linux rootkits to cover exercise and evade blue-team investigation and detection,” Development Micro notes.
The marketing campaign has been dubbed Operation ZeroDisco, because the malware units a common password containing the phrase ‘disco’, a one-letter change from Cisco.
Along with CVE-2025-20352, the hackers used a modified exploit for CVE-2017-3881, a Telnet flaw resulting in RCE, that allowed reminiscence learn/write.
Towards 32-bit methods, the attackers used malicious SNMP packets to ship instructions to the weak gadgets, and relied on the Telnet exploit to acquire reminiscence learn/write at arbitrary addresses.Commercial. Scroll to proceed studying.
Towards 64-bit methods, the menace actors used the SNMP exploit to deploy the rootkit, after which logged in utilizing the common password and deployed a fileless backdoor. The attackers additionally linked totally different VLANs for lateral motion.
The rootkit, Development Micro explains, displays UDP packets despatched to any gadget port, even closed ones, which permits the attackers to configure or set off backdoor features. It additionally modifies IOSd reminiscence to arrange the common password that works throughout most authentication strategies.
It additionally hides running-config gadgets in reminiscence, permits the bypass of ACLs utilized to VTY (the digital interface on a Cisco gadget used for distant entry), can disable log historical past, and resets running-config write timestamps to cover adjustments.
“At present there isn’t a common automated device that may reliably decide whether or not a Cisco change has been efficiently compromised by the ZeroDisco operation. In the event you suspect a change is affected, we advocate contacting Cisco TAC instantly and asking the seller to help with a low-level investigation of firmware/ROM/boot areas,” Development Micro notes.
Associated: Cisco, Fortinet, Palo Alto Networks Units Focused in Coordinated Marketing campaign
Associated: Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Assaults
Associated: Microsoft Patches 173 Vulnerabilities, Together with Exploited Home windows Flaws
Associated: Subtle Malware Deployed in Oracle EBS Zero-Day Assaults
