Cyber threat actors exploited a recently patched vulnerability (CVE-2025-20352) in Cisco devices to deploy a Linux rootkit, gaining persistent access. The attacks targeted older Cisco switches lacking endpoint detection, using malware dubbed โOperation Zero Discoโ that can bypass security and move laterally within networks. #CVE-2025-20352 #OperationZeroDisco
Keypoints
- The vulnerability affects Cisco IOS and IOS XE through SNMP protocols, leading to remote code execution.
- Attackers targeted Cisco 9400, 9300, and legacy 3750G devices that lacked detection solutions.
- The rootkit includes a UDP controller able to disable logs, bypass ACLs, and enable universal passwords.
- Trend Microโs researchers simulated attacks demonstrating lateral movement and log bypassing techniques.
- Currently, no reliable detection tools exist; low-level firmware analysis is recommended for compromised devices.