Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that exploited a not too long ago disclosed safety flaw impacting Cisco IOS Software program and IOS XE Software program to deploy Linux rootkits on older, unprotected methods.
The exercise, codenamed Operation Zero Disco by Development Micro, entails the weaponization of CVE-2025-20352 (CVSS rating: 7.7), a stack overflow vulnerability within the Easy Community Administration Protocol (SNMP) subsystem that might enable an authenticated, distant attacker to execute arbitrary code by sending crafted SNMP packets to a vulnerable gadget. The intrusions haven’t been attributed to any recognized menace actor or group.
The shortcoming was patched by Cisco late final month, however not earlier than it was exploited as a zero-day in real-world assaults.
“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G sequence units, with further makes an attempt to use a modified Telnet vulnerability (primarily based on CVE-2017-3881) to allow reminiscence entry,” researchers Dove Chiu and Lucien Chuang said.
The cybersecurity firm additionally famous that the rootkits allowed attackers to realize distant code execution and acquire persistent unauthorized entry by setting common passwords and putting in hooks into the Cisco IOS daemon (IOSd) reminiscence house. IOSd is run as a software program course of throughout the Linux kernel.
One other notable side of the assaults is that they singled out victims operating older Linux methods that do not need endpoint detection response options enabled, making it doable to deploy the rootkits with a purpose to fly underneath the radar. As well as, the adversary is claimed to have used spoofed IPs and Mac e-mail addresses of their intrusions.
The rootkit is commandeered by the use of a UDP controller part that that may function listener for incoming UDP packets on any port, toggle or disable log historical past, create a common password by modifying IOSd reminiscence, bypass AAA authentication, conceal sure parts of the operating configuration, and conceal adjustments made to the configuration by altering the timestamp to present the impression that it was by no means modified.
In addition to CVE-2025-20352, the menace actors have additionally been noticed making an attempt to use a Telnet vulnerability that could be a modified model of CVE-2017-3881 in order to permit reminiscence learn/write at arbitrary addresses. Nonetheless, the precise nature of the performance stays unclear.
The title “Zero Disco” is a reference to the truth that the implanted rootkit units a common password that features the phrase “disco” in it — a one-letter change from “Cisco.”
“The malware then installs a number of hooks onto the IOSd, which leads to fileless elements disappearing after a reboot,” the researchers famous. “Newer change fashions present some safety through Deal with Area Structure Randomization (ASLR), which reduces the success price of intrusion makes an attempt; nonetheless, it needs to be famous that repeated makes an attempt can nonetheless succeed.”
