Oct 16, 2025Ravie LakshmananVulnerability / Linux
Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that exploited a just lately disclosed safety flaw impacting Cisco IOS Software program and IOS XE Software program to deploy Linux rootkits on older, unprotected techniques.
The exercise, codenamed Operation Zero Disco by Pattern Micro, entails the weaponization of CVE-2025-20352 (CVSS rating: 7.7), a stack overflow vulnerability within the Easy Community Administration Protocol (SNMP) subsystem that might permit an authenticated, distant attacker to execute arbitrary code by sending crafted SNMP packets to a inclined gadget. The intrusions haven’t been attributed to any identified risk actor or group.
The shortcoming was patched by Cisco late final month, however not earlier than it was exploited as a zero-day in real-world assaults.
“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G collection gadgets, with extra makes an attempt to use a modified Telnet vulnerability (primarily based on CVE-2017-3881) to allow reminiscence entry,” researchers Dove Chiu and Lucien Chuang stated.
The cybersecurity firm additionally famous that the rootkits allowed attackers to realize distant code execution and acquire persistent unauthorized entry by setting common passwords and putting in hooks into the Cisco IOS daemon (IOSd) reminiscence area. IOSd is run as a software program course of inside the Linux kernel.
One other notable side of the assaults is that they singled out victims operating older Linux techniques that would not have endpoint detection response options enabled, making it attainable to deploy the rootkits to be able to fly below the radar. As well as, the adversary is alleged to have used spoofed IPs and Mac e mail addresses of their intrusions.
Apart from CVE-2025-20352, the risk actors have additionally been noticed making an attempt to use a Telnet vulnerability that may be a modified model of CVE-2017-3881 in order to permit reminiscence learn/write at arbitrary addresses. Nonetheless, the precise nature of the performance stays unclear.
The identify “Zero Disco” is a reference to the truth that the implanted rootkit units a common password that features the phrase “disco” in it — a one-letter change from “Cisco.”
“The malware then installs a number of hooks onto the IOSd, which ends up in fileless elements disappearing after a reboot,” the researchers famous. “Newer swap fashions present some safety by way of Deal with Area Structure Randomization (ASLR), which reduces the success price of intrusion makes an attempt; nonetheless, it must be famous that repeated makes an attempt can nonetheless succeed.”
