“Zero Disco” — Linux rootkits via Cisco SNMP flaw
Trend Micro detailed Operation Zero Disco, where attackers exploited Cisco CVE-2025-20352 (SNMP stack overflow; patched) to deploy Linux rootkits on certain IOS/IOS XE devices (e.g., 9400/9300/3750G). The intruders set a universal password (containing “disco”) and hooked IOSd memory to persist, bypassing AAA and concealing config changes. They also probed a modified Telnet CVE-2017-3881 variant for memory access. Older Linux-based systems without EDR were prime targets; newer models with ASLR fared better, though repeated attempts could still succeed. Cisco patched the SNMP flaw after zero-day exploitation.
Zero Disco: swapping the “s” for “d” and your switch for theirs.
Researchers have outed Operation Zero Disco, a campaign abusing a Cisco SNMP overflow (CVE-2025-20352) to inject Linux rootkits into certain IOS/IOS XE devices. Think 9400/9300 lines and some older 3750G kit—exactly the boxes you’d prefer not to babysit at 2 a.m. The attackers reportedly set a “universal password” featuring the word “disco” (yes, really), then wedge hooks into the IOSd process to bypass AAA and hide their tracks by rewriting timestamps and config views.
It gets worse: they’ve also tinkered with a Telnet memory bug inspired by CVE-2017-3881 to read/write arbitrary memory. Targets skewed towards older Linux systems without EDR—because stealthy rootkits tend to enjoy the quiet life. Newer hardware with ASLR can blunt the blow, but repeated shots may still land.
Why this matters: a compromised network core hands attackers a backstage pass—traffic inspection, config laundering, and persistence that survives reboots via fileless tricks.
Fixes and mitigations
• Patch now: apply Cisco’s update for CVE-2025-20352; audit for Telnet being enabled (then turn it off).
• Lock management: isolate SNMP to trusted managers, enforce strong communities/keys, and prefer v3.
• Harden access: restrict management plane to jump hosts; enable AAA with MFA and logs shipped off-box.
• Hunt: look for unexpected password changes, IOSd anomalies, and configs that never seem to have changed.
Disco is fun. Zero Disco is not. Patch, segment and watch those management planes.