Trend Micro researchers have recently uncovered a sophisticated attack campaign called Operation Zero Disco, which took advantage of a serious flaw in Cisco’s Simple Network Management Protocol (SNMP) mechanism to hijack network devices and install rootkits on the Linux platform. The campaign mainly targets older switches, where the attacker can set up a permanent backdoor and hide deep in the corporate network infrastructure.
The core of the campaign is located in the CVE-2025-352 vulnerability, which affects both the 32-bit and 64-bit versions of Cisco’s control software. The vulnerability allows for remote code execution (RCE) on the affected device, creating a strong entry point for internal attacks. The level of danger increased as many systems maintained the default SNMP configuration with a “public” community chain, making exploitation easier than ever.
According to data from Trend Micro, the 9400, 9300 and especially 3750G lines of Cisco devices were the most affected. The 3750G series is older and no longer supported, and lacks modern protection mechanisms such as Address Space Layout Randomization (ASLR), making the device vulnerable to attack. Even with new models equipped with ASLRs, attackers can still exploit success if they persist in repeated execution.
After successful exploitation, the attacker deploys a multi-layered rootkit with the ability to maintain long-term control. One of the most exciting marks was the rootkit’s creation of a “universal password” containing the word “disco” – arguably a pun on “Cisco”. This password works on most authentication methods such as AAA, local login or enable mode, thanks to the direct hook to authentication functions in IOSd process memory. Although this change will disappear after a reboot, fileless components can remain active by reinserting code into memory. These hooks also disable the log system, hiding malicious operations from the device logs.
The change in the IOSd memory for the shared password will disappear after rebooting.
The rootkit comes with a control component via the UDP protocol, which can operate on any port without opening a public port. Through this, the attacker can toggle the log history, delete the entire record, ignore the AAA mechanism and the VTY access control list, and even hide parts of the running configuration. By forging the IP addresses of administrative workstations, they can bypass internal firewalls, while also resetting the timestamps of configuration changes to make them look as if they never happened.
The attacker can gain access to other protected areas by impersonating the transit station’s IP address to bypass the internal firewall.
Far from just taking power, the campaign showed a deep level of penetration into critical network infrastructure. Once the central switches are controlled, the attacker adds routing rules to connect the separated VLANs, thereby opening the way for horizontal movement in the system. They install ARP spoofing tools that run in Cisco’s guest shell to redirect traffic, create IP conflicts, or crash legitimate devices to take over the network. During the investigation, Trend Micro also uncovered hidden accounts with names ranging from “dg3y8dpk” to “d g7y8hpk”, as well as fake EEM scripts such as “CiscoEMX-1″ to the ” CiscoEmX-5″ and ACL hidden under the name “EnaQWklg0” to a “EnaiQW kglg2”.
Simulated network diagram where each region is separated by a different core switch and VLAN
Notably, the campaign experimentally re-enabled Telnet CVE-2017-3881, an error that had caused severe RCE but was modified to extend arbitrary memory read and write capabilities. The goal appears to be to create coherent attack tools, increasing the likelihood of escalation and full occupation on Cisco’s infrastructure. While the full extent of the revised version’s performance is unknown, the combination of multiple vulnerabilities and hidden techniques made Operation Zero Disco an extremely dangerous operation.
In simulations, the attacker can bypass the external firewall with the retrieved password to gain access to various devices on the network.
On the defensive side, Trend Micro released dedicated detection rules: rule 46396 to detect SNMP mining behavior and rules 5497, 5488 to identify rootkit driver UDP traffic. However, researchers warn there is currently no automated tool that can definitively determine if Cisco devices have been hacked. When in doubt, manual investigation in conjunction with the Cisco Technical Assistance Center is necessary to test the memory, collate the configuration, and analyze in depth the intrusion indicators.
Operation Zero Disco was a strong reminder that maintaining old network equipment or the default configuration was a potential security risk. Organizations need to upgrade to SNMPv3, change the default community chain, and enhance traffic monitoring to detect abnormal control signatures. Periodic configuration checks, script or account discovery, are also important steps to prevent rootkits from silently immobilizing in the system.
