Hackers exploit Cisco flaw to install rootkits on switches
Cybersecurity researchers have uncovered a sophisticated attack campaign dubbed "Operation Zero Disco" that weaponizes a recently patched zero-day vulnerability in Cisco networking equipment to install persistent Linux rootkits on enterprise infrastructure. The campaign, which exploits CVE-2025-20352, has been actively targeting older Cisco switches since late September, creating backdoors that evade traditional security measures through advanced stealth techniques.
Campaign Targets Legacy Network Infrastructure
Trend Micro researchers revealed on October 14 that attackers have been exploiting the critical SNMP vulnerability to compromise Cisco 9400 series, 9300 series, and legacy 3750G devices. The vulnerability, which carries a CVSS score of 7.7, affects the Simple Network Management Protocol subsystem in both 32-bit and 64-bit Cisco IOS and IOS XE software builds.
According to Trend Micro's analysis, the operation specifically targets victims running older Linux systems without endpoint detection and response solutions, where rootkits can hide malicious activity and evade blue-team investigation. Attackers have used spoofed IP addresses and MAC email addresses to obscure their infiltration attempts.
The vulnerability was first disclosed by Cisco on September 23, with the company's Product Security Incident Response Team acknowledging successful exploitation in the wild after local administrator credentials were compromised. CISA subsequently added CVE-2025-20352 to its Known Exploited Vulnerabilities catalog on September 29.
Rootkit Creates Universal Password System
Once successfully deployed, the malware establishes a sophisticated persistence mechanism by creating a universal password containing the word "disco" - believed to be a deliberate one-letter variation of "Cisco". This universal password works across multiple authentication methods including AAA, local login, and enable password systems by hooking low-level authentication functions in the IOSd memory space.
The rootkit operates as a UDP listener on any port without requiring the port to be explicitly opened, accepting commands directed to any IP address assigned to the device. This covert channel enables attackers to toggle log history, bypass authentication controls, hide running configuration items, and reset timestamps to make configuration changes appear nonexistent.
Security researchers discovered that the malware can conceal specific account names following patterns like "dg3y8dpk" through "dg7y8hpk," hidden Embedded Event Manager scripts named "CiscoEMX-1" through "CiscoEMX-5," and Access Control Lists including "EnaQWklg0," "EnaQWklg1," and "EnaQWklg2".
Advanced Network Infiltration Capabilities
The campaign demonstrates sophisticated network infiltration techniques that allow attackers to bypass multiple security layers and achieve lateral movement across segmented networks. Attackers use compromised core switches to bridge different VLANs by adding routing rules, then impersonate legitimate waystation IP addresses to bypass internal firewalls.
The operation includes ARP spoofing tools specifically designed for Cisco guest shells, enabling attackers to redirect traffic and force legitimate network devices offline through IP address conflicts. Newer switch models incorporate Address Space Layout Randomization (ASLR) protection, though Trend Micro notes that persistent targeting can still succeed.
Currently, no universal automated tool exists to reliably determine whether a Cisco switch has been compromised by the Zero Disco operation. Organizations suspecting compromise should contact Cisco Technical Assistance Center immediately for low-level firmware and ROM region investigation.
