Sheridan, WY, 27 October 2025 –Cybersecurity researchers have uncovered a new hacking campaign targeting older Cisco network devices, exposing a serious security flaw in Cisco IOS and IOS XE software. The campaign, called Operation Zero Disco by Trend Micro, exploited a recently discovered vulnerability to install Linux rootkits and gain unauthorized access.
The attackers used CVE-2025-20352, a stack overflow flaw in the SNMP (Simple Network Management Protocol). This vulnerability allows a remote, authenticated hacker to run any code they want on vulnerable devices by sending specially crafted SNMP packets.
Affected devices include the Cisco 9400, 9300, and older 3750G series. In some cases, attackers also tried a modified version of a Telnet vulnerability (based on CVE-2017-3881) to access memory on the devices.
Once inside, the malware can:
- Execute code remotely
- Set a universal password to access the device
- Hide changes and activity from logs
- Alter system memory to bypass security checks
- Persisted even after reboots
Researchers Dove Chiu and Lucien Chuang noted that the malware specifically targets older Linux-based systems that lack modern endpoint detection tools, allowing attackers to remain unnoticed.
The rootkit gets its name from the universal password it sets, which contains the word “disco” a slight twist on the word “Cisco.” The malware also installs hooks into IOSd, the core Cisco software process, making it partly “fileless.” This means some components vanish after a reboot and making detection harder.
Newer Cisco switches have protections like Address Space Layout Randomisation (ASLR), which makes attacks less likely to succeed, but repeated attempts can still compromise even these systems.
Operation Zero Disco shows how quickly hackers can exploit even newly patched vulnerabilities. Cisco released fixes on last month, but attackers had already begun exploiting the flaw. Users with older devices or outdated security protections remain especially at risk.
Experts advise companies to:
- Update all Cisco devices immediately
- Enable endpoint detection and response tools
- Monitor for unusual network activity
- Avoid using default or simple passwords
As cyber threats evolve, campaigns like Zero Disco highlight the need for continuous vigilance and proactive security measures, even on devices considered standard or “trusted.”