A chilling new cyberattack campaign, dubbed "Operation Zero Disco," is exploiting a vulnerability in Cisco systems to deploy insidious Linux rootkits. This sophisticated attack highlights the persistent dangers lurking in the digital shadows. Let's dive in and unpack the details.
The core of this threat revolves around CVE-2025-20352, a critical security flaw within the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and IOS XE Software. This vulnerability, which received a CVSS score of 7.7, allows remote attackers to execute arbitrary code. In simple terms, this means that hackers can inject their own malicious instructions into a vulnerable Cisco device just by sending it specially crafted SNMP packets.
But here's where it gets controversial... This vulnerability was exploited as a zero-day, meaning it was used in real-world attacks before a patch was available. Cisco has since issued a fix, but the damage was already done. The attacks, which have not been attributed to any known threat actor or group, primarily targeted older, unprotected systems, specifically Cisco 9400, 9300, and legacy 3750G series devices.
Researchers Dove Chiu and Lucien Chuang have also noted attempts to exploit a modified Telnet vulnerability, based on CVE-2017-3881, to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent, unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The IOSd runs as a software process within the Linux kernel.
And this is the part most people miss... The attackers specifically targeted older Linux systems that lacked endpoint detection and response solutions, allowing the rootkits to operate stealthily. The attackers also used spoofed IPs and MAC addresses to conceal their activities. Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.
The name "Zero Disco" is a clever reference to the fact that the implanted rootkit sets a universal password that includes the word "disco" in it – a one-letter change from "Cisco." The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.
What do you think? Are you surprised by the sophistication of these attacks? Do you think enough is being done to protect older systems? Share your thoughts in the comments below!
