Hackers exploit Cisco SNMP flaw to deploy Linux rootkits

A newly uncovered cyber campaign, dubbed Operation Zero Disco, has been exploiting a vulnerability in Cisco’s SNMP service to install stealthy Linux rootkits on compromised devices, according to The Hacker News.

 

At the center of the operation is CVE-2025-20352, a stack overflow flaw in the SNMP subsystem of Cisco IOS and IOS XE systems, rated 7.7 on the CVSS scale.

 

Attackers used specially crafted SNMP packets to execute arbitrary code on vulnerable systems, particularly targeting older Cisco switches such as the 9400, 9300, and legacy 3750G models.

 

Evidence also suggests the use of a modified variation of CVE-2017-3881, an older Telnet vulnerability, to gain memory-level access.

 

Once inside, the attackers deployed rootkits that hook into the IOSd daemon running atop the Linux kernel, allowing them to maintain persistence on the infected devices.

 

The malware installs a hidden backdoor password containing the string “disco” a reference that inspired the campaign’s name and operates partly in memory, with key components disappearing after reboot.

 

 Older network systems running outdated Linux distributions without endpoint detection tools proved especially vulnerable, while the attackers further concealed their presence through IP and MAC address spoofing.

 

Cisco has already issued patches addressing the SNMP flaw, though evidence indicates that attacks began before the updates were released. 

 

Newer switch models equipped with Address Space Layout Randomization (ASLR) offer some resistance, but repeated attempts can still overcome it. Security experts warn administrators to patch immediately, restrict SNMP access, and monitor for signs of abnormal network or memory behavior.

 

Operation Zero Disco highlights how attackers continue to exploit aging network infrastructure to gain deep persistence.

 

Even seemingly routine services like SNMP can serve as entry points when left unpatched, emphasizing once again the critical need for continuous maintenance and network visibility.