"The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group."
"The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access, researchers Dove Chiu and Lucien Chuang said. The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon ( IOSd) memory space. IOSd is run as a software process within the Linux kernel."
Operation Zero Disco leveraged CVE-2025-20352, a stack overflow in the SNMP subsystem of Cisco IOS and IOS XE, to execute arbitrary code via crafted SNMP packets. Targeted devices included Cisco 9400, 9300, and legacy 3750G series hardware, and actors also attempted a modified Telnet exploit derived from CVE-2017-3881 to enable arbitrary memory access. Deployed rootkits set universal passwords, implanted hooks into the IOSd memory space, and delivered persistent remote code execution on older Linux systems lacking endpoint detection and response. Adversaries used spoofed IPs and Mac email addresses. Cisco released a patch after real-world zero-day exploitation; attribution remains unknown.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]