Operation Zero Disco: Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 for Rootkit Deployment
Attackers launched a coordinated campaign known as Operation Zero Disco, exploiting a critical vulnerability in Cisco's Simple Network Management Protocol (SNMP), identified as CVE-2025-20352. This vulnerability enables remote code execution (RCE) on affected Cisco switches, allowing threat actors to implant persistent Linux rootkits. The primary targets of this operation were Cisco 9400, 9300, and legacy 3750G series switches, particularly those running older Linux systems lacking modern endpoint detection and response (EDR) solutions. Attackers leveraged the SNMP flaw to gain unauthorized access, set universal passwords, and install hooks directly into the IOSd memory space, ensuring deep persistence and evasion from standard security monitoring. In addition to exploiting CVE-2025-20352, the attackers attempted to leverage a modified Telnet vulnerability, based on the older CVE-2017-3881, to further enable memory access and expand their foothold. The operation was characterized by the use of spoofed IP addresses and Mac email accounts to obfuscate the origin of the attacks and complicate attribution. Security researchers observed that the rootkits deployed were specifically designed to hide malicious activity and resist blue-team investigation, making detection and remediation more challenging. The campaign highlighted the risks associated with unpatched or unsupported network infrastructure, especially in environments where legacy devices are still in operation. Trend Micro's research emphasized the importance of advanced threat detection solutions, such as Trend Cloud One Network Security and Deep Discovery Inspector, which can identify Cisco-specific exploits and malicious controller communications. These tools utilize extended detection and response (XDR) capabilities and virtual patching to mitigate risks in hybrid cloud and traditional network environments. The incident underscores the need for organizations to promptly apply security advisories, update device firmware, and implement network segmentation to limit the impact of such exploits. Cisco's advisory on CVE-2025-20352 provided technical details and mitigation steps, but the operation demonstrated that attackers are quick to weaponize newly disclosed vulnerabilities. The use of rootkits on network devices represents a significant escalation in attacker sophistication, as it allows for long-term persistence and potential lateral movement within compromised environments. The campaign also serves as a warning for organizations relying on legacy hardware, which may not receive timely security updates or support. Security teams are advised to monitor for unusual SNMP activity, unauthorized configuration changes, and signs of rootkit installation on network devices. The Operation Zero Disco campaign is a stark reminder of the evolving threat landscape targeting network infrastructure and the critical importance of proactive vulnerability management.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public reporting details Operation Zero Disco and CVE-2025-20352 abuse
Security researchers and news outlets publicly disclosed technical details of Operation Zero Disco, linking the campaign to exploitation of CVE-2025-20352 in Cisco's SNMP implementation. The reporting highlighted rootkit deployment on switches and the risks posed by unpatched network infrastructure.
Attackers exploit Cisco SNMP flaw to implant Linux rootkits on switches
A campaign dubbed Operation Zero Disco used the Cisco SNMP vulnerability CVE-2025-20352 to compromise Cisco switches and deploy Linux rootkits, enabling persistent access on affected network devices. Multiple reports describe the activity as targeting legacy Cisco infrastructure and using fileless or stealthy payloads.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
‘Zero Disco’ campaign hits legacy Cisco switches with fileless rootkit payloads
csoonline.com
Open sourceIntrusions with Cisco SNMP bug facilitate Linux rootkit deployment
scworld.com
Open sourceHackers used Cisco zero-day to plant rootkits on network switches (CVE-2025-20352)
helpnetsecurity.com
Open sourceOperation Zero Disco: Threat actors targets Cisco SNMP flaw to drop Linux rootkits
securityaffairs.com
Open sourceHackers Deploy Linux Rootkits via Cisco SNMP Flaw in "Zero Disco' Attacks"
thehackernews.com
Open sourceHackers exploit Cisco SNMP flaw to deploy rootkit on switches
bleepingcomputer.com
Open sourceOperation Zero Disco: Critical Cisco SNMP Flaw (CVE-2025-20352) Used to Implant Linux Rootkits on Switches
securityonline.info
Open sourceOperation Zero Disco: Cisco SNMP Vulnerability Exploited
thecyberthrone.in
Open sourceOperation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits | Trend Micro (US)
trendmicro.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
Mar 21, 2026
Coordinated Attacks and Zero-Day Exploitation Targeting Cisco, Palo Alto, and Fortinet Network Devices
A coordinated cyberattack campaign has been identified targeting major networking devices from Cisco, Palo Alto Networks, and Fortinet, with evidence suggesting a single threat actor is orchestrating the activity. Security researchers at GreyNoise observed simultaneous scanning of Cisco ASA devices, increased login attempts against Palo Alto Networks portals, and brute-force attacks on Fortinet SSL VPNs, all originating from shared subnets and exhibiting recurring TCP fingerprints. This temporal and infrastructural correlation points to a sophisticated, cross-vendor campaign rather than opportunistic attacks. Experts note that adversaries are leveraging generative AI to automate these attacks, adopting tactics typically associated with nation-state actors. The campaign is notable for its focus on high-value targets such as networking devices and VPNs, which serve as critical gateways into enterprise networks and often possess privileged access that can bypass internal security controls. Industries such as manufacturing, industrials, and utilities are particularly at risk due to the potential for operational disruption and rapid financial gain for attackers. Concurrently, Cisco disclosed two zero-day vulnerabilities in its ASA and Secure Firewall Threat Defense software, identified as CVE-2025-20333 and CVE-2025-20362, which are being actively exploited in the wild. CVE-2025-20333 allows authenticated remote code execution due to improper input validation in the VPN web server, potentially granting attackers root-level access. CVE-2025-20362 is an authentication bypass flaw that enables remote attackers to access restricted endpoints without credentials. The combination of these vulnerabilities poses a severe risk, as attackers can gain full control of affected devices. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed ongoing exploitation and is collaborating with government agencies to coordinate a response. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, urging all federal agencies to immediately mitigate exposure and assess for compromise. Over 90,000 Cisco FTD devices are reportedly exposed, highlighting the scale of the threat. Attackers are conducting large-scale scanning campaigns to identify vulnerable ASA login portals and entry points. Security experts emphasize the urgent need for organizations to inventory their Cisco ASA and FTD devices, apply available patches, and implement recommended mitigations. The campaign’s use of shared infrastructure and advanced automation underscores a shift in attacker methodology toward more efficient and targeted operations. The strategic targeting of network infrastructure devices reflects their critical role in enterprise security and the high impact of successful compromise. Organizations are advised to monitor for signs of compromise, follow vendor and government guidance, and prioritize remediation of affected systems. The ongoing nature of the attacks and the active exploitation of zero-day vulnerabilities make this a critical threat to enterprise and government networks worldwide.
Mar 21, 2026
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Apr 21, 2026