Ethical Hacking News
Security researchers have uncovered a new campaign exploiting a recently disclosed vulnerability impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older systems. The operation, dubbed "Zero Disco," highlights the ever-present threat landscape in cybersecurity.
Cisco IOS Software and IOS XE Software are vulnerable to a recently disclosed security flaw (CVE-2025-20352) that can be exploited by attackers. The vulnerability is a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem, allowing remote code execution. Attackers targeted older, unprotected systems running Linux and used a zero-day exploit to deploy Linux rootkits. The campaign, dubbed "Zero Disco," uses a combination of social engineering and sophisticated tactics to evade detection. Newer switch models provide some protection via Address Space Layout Randomization (ASLR), but repeated attempts can still succeed. The importance of timely patching and regular vulnerability assessments cannot be overstated in the face of this evolving threat landscape.
In a disturbing turn of events, cybersecurity researchers at Trend Micro have revealed details of a novel campaign that has been exploiting a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The operation, dubbed "Zero Disco" by the researchers, is a stark reminder of the ever-evolving nature of cyber threats and the importance of timely patching.
The vulnerability in question, CVE-2025-20352, is a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group, but the use of a zero-day exploit suggests a high degree of sophistication and stealth.
According to researchers Dove Chiu and Lucien Chuang, the operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices. The attackers were able to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. This is a particularly concerning development, as it highlights the potential for attackers to achieve long-term access to compromised systems.
Furthermore, the researchers noted that the threat actors targeted victims running older Linux systems that do not have endpoint detection response solutions enabled. This allows them to deploy rootkits in order to fly under the radar and avoid detection. The use of spoofed IPs and Mac email addresses in their intrusions also suggests a level of social engineering sophistication.
Another notable aspect of the attacks is the deployment of a modified Telnet vulnerability that is a variant of CVE-2017-3881. This allows attackers to execute memory read/write at arbitrary addresses, although the exact nature of this functionality remains unclear. The researchers noted that newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, repeated attempts can still succeed.
The name "Zero Disco" is a reference to the fact that the implanted rootkit sets a universal password that includes the word "disco" in it -- a one-letter change from "Cisco." This is an interesting development, as it highlights the creative ways in which attackers are trying to evade detection and disguise their malicious activities.
The discovery of this campaign serves as a stark reminder of the importance of timely patching and regular vulnerability assessments. It also underscores the need for organizations to implement robust security measures, including endpoint detection response solutions and regular software updates.
In conclusion, the "Zero Disco" attack campaign is a sobering reminder of the ever-present threat landscape in cybersecurity. As attackers continue to evolve and adapt their tactics, it is essential that organizations prioritize security and take proactive steps to protect themselves against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Low-in-Cybersecurity-The-Zero-Day-Attack-Campaign-Exploiting-Cisco-SNMP-Flaw-ehn.shtml
https://thehackernews.com/2025/10/hackers-deploy-linux-rootkits-via-cisco.html
https://nvd.nist.gov/vuln/detail/CVE-2025-20352
https://www.cvedetails.com/cve/CVE-2025-20352/
https://nvd.nist.gov/vuln/detail/CVE-2017-3881
https://www.cvedetails.com/cve/CVE-2017-3881/
Published: Thu Oct 16 14:34:19 2025 by llama3.2 3B Q4_K_M
