The Reveal Platform
Intel Name: Operation zero disco: attackers exploit cisco snmp vulnerability to deploy rootkits
Date of Scan: October 16, 2025
Impact: High
Summary: Attackers leveraged a Cisco SNMP vulnerability (CVE-2025-20352) to install Linux rootkits on outdated and unsecured systems. This allowed them to achieve remote code execution (RCE) and maintain persistent, unauthorized access by setting universal passwords and embedding hooks into the IOSd memory space. The campaign primarily affected Cisco 9400, 9300, and older 3750G series devices. Additionally, the attackers attempted to exploit a modified Telnet vulnerability, derived from CVE-2017-3881, to gain access to system memory. Their targets were mainly older Linux systems lacking endpoint detection and response (EDR) tools, where the rootkits were used to conceal malicious activity and avoid detection by security teams.
