Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

    Thursday, October 16, 2025 In: Threat Research Print

    Date: 10/16/2025

    Severity: High

    Summary

    Attackers leveraged a Cisco SNMP vulnerability (CVE-2025-20352) to install Linux rootkits on outdated and unsecured systems. This allowed them to achieve remote code execution (RCE) and maintain persistent, unauthorized access by setting universal passwords and embedding hooks into the IOSd memory space. The campaign primarily affected Cisco 9400, 9300, and older 3750G series devices. Additionally, the attackers attempted to exploit a modified Telnet vulnerability, derived from CVE-2017-3881, to gain access to system memory. Their targets were mainly older Linux systems lacking endpoint detection and response (EDR) tools, where the rootkits were used to conceal malicious activity and avoid detection by security teams.

    Indicators of Compromise (IOC) List

    Hash:

    2abc874435c16aa5cfd431b0d9c26095ef4b9429bd82306f054c367e96df49b2

    69d761bdde73ea8e33384cf986d7e9c2d9011f7aad8933e8af64e60a77091e11 

    B08877f6f1c6c097240a6a8aa4a23243e3b14a1432170bc3fa5fa9886a2b19b4

    9b8a896aa2057f46e17b18bbe091d85fb816b1d3232a3178d6aba94df3a92f6a 

    81b35152768f28a479ba9f7e27d66042b0d7edcd79355481aa401f3f47a7733b 

    3a524bc40ca7c11b68283504f0119caeefd7589edea621d43d5d0cd973354675 

    E303d0c6c59b4dc55edc0212a9319702e9db7fa03185ae9177777b874c02d4c1 

    7cc7aed51adb426e55d82fd74c55b78f6ecbb895a315be721ef149a17f4b3a9b 

    235dc2d8c92661e5e2797a03bccd2653272ca1ac93401d194d7784930ca17a5a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query:

    sha256hash IN ("2abc874435c16aa5cfd431b0d9c26095ef4b9429bd82306f054c367e96df49b2","69d761bdde73ea8e33384cf986d7e9c2d9011f7aad8933e8af64e60a77091e11","B08877f6f1c6c097240a6a8aa4a23243e3b14a1432170bc3fa5fa9886a2b19b4","9b8a896aa2057f46e17b18bbe091d85fb816b1d3232a3178d6aba94df3a92f6a","81b35152768f28a479ba9f7e27d66042b0d7edcd79355481aa401f3f47a7733b","3a524bc40ca7c11b68283504f0119caeefd7589edea621d43d5d0cd973354675","E303d0c6c59b4dc55edc0212a9319702e9db7fa03185ae9177777b874c02d4c1","7cc7aed51adb426e55d82fd74c55b78f6ecbb895a315be721ef149a17f4b3a9b","235dc2d8c92661e5e2797a03bccd2653272ca1ac93401d194d7784930ca17a5a")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html  


    Tags

    VulnerabilityCVE-2025Cisco SNMPExploitRootkitZero DiscoCVE-2017

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.