Operation Zero Disco rootkit

They set a universal password containing the string “disco” (a subtle alteration of “Cisco”), allowing unauthorized access through multiple authentication methods.

The rootkits act as UDP listeners accepting packets on any IP assigned to the device, permitting remote execution of malicious commands.

The core vulnerability exploited is CVE-2025-20352, a stack overflow flaw in the Simple Network Management Protocol (SNMP) subsystem of Cisco devices. It allows authenticated remote attackers to execute arbitrary code by sending specially crafted SNMP packets.

These rootkits operate largely filelessly by hooking into the Cisco IOS daemon (IOSd) memory, enabling persistent and stealthy control of the infected switches.

They set a universal password containing the string “disco” (a subtle alteration of “Cisco”), allowing unauthorized access through multiple authentication methods.

They set a universal password containing the string “disco” (a subtle alteration of “Cisco”), allowing unauthorized access through multiple authentication methods.

Once exploited, attackers gain remote code execution (RCE) capabilities and implant sophisticated Linux rootkits. These rootkits operate largely filelessly by hooking into the Cisco IOS daemon (IOSd) memory, enabling persistent and stealthy control of the infected switches.

Attackers can disable or delete device logs to erase traces of their presence. They reset the last running-config write timestamp to make changes appear non-existent.

They set a universal password containing the string “disco” (a subtle alteration of “Cisco”), allowing unauthorized access through multiple authentication methods.

They hide specific running configuration items in memory, including user accounts (e.g., dg3y8dpk, dg4y8epk), Embedded Event Manager (EEM) scripts (CiscoEMX-1 to CiscoEMX-5), and access control lists (e.g., EnaQWklg0).

These rootkits operate largely filelessly by hooking into the Cisco IOS daemon (IOSd) memory, enabling persistent and stealthy control of the infected switches.

Use ARP spoofing to impersonate IP addresses and bypass internal firewall restrictions for lateral movement within the network.

Alongside this, attackers have been observed leveraging a modified Telnet vulnerability (related to CVE-2017-3881) to enable memory read/write access on targeted devices.

Use ARP spoofing to impersonate IP addresses and bypass internal firewall restrictions for lateral movement within the network.

Bypass controls such as AAA authentication and virtual terminal (VTY) access control lists.