A new and highly sophisticated cyberattack campaign, dubbed Operation Zero Disco by Trend Micro researchers, is actively exploiting a critical vulnerability in Cisco network devices to install stealthy Linux rootkits. The attack targets unprotected Cisco switches running older Linux-based IOS and IOS XE software, affecting Cisco 9400, 9300, and legacy 3750G series devices.
About the Vulnerability and Attack
The core vulnerability exploited is CVE-2025-20352, a stack overflow flaw in the Simple Network Management Protocol (SNMP) subsystem of Cisco devices. It allows authenticated remote attackers to execute arbitrary code by sending specially crafted SNMP packets. Alongside this, attackers have been observed leveraging a modified Telnet vulnerability (related to CVE-2017-3881) to enable memory read/write access on targeted devices.
Once exploited, attackers gain remote code execution (RCE) capabilities and implant sophisticated Linux rootkits. These rootkits operate largely filelessly by hooking into the Cisco IOS daemon (IOSd) memory, enabling persistent and stealthy control of the infected switches. They set a universal password containing the string “disco” (a subtle alteration of “Cisco”), allowing unauthorized access through multiple authentication methods.
Attack Methodology and Impact
- The rootkits act as UDP listeners accepting packets on any IP assigned to the device, permitting remote execution of malicious commands.
- They hide specific running configuration items in memory, including user accounts (e.g., dg3y8dpk, dg4y8epk), Embedded Event Manager (EEM) scripts (CiscoEMX-1 to CiscoEMX-5), and access control lists (e.g., EnaQWklg0).
- Attackers can disable or delete device logs to erase traces of their presence.
- They reset the last running-config write timestamp to make changes appear non-existent.
- Bypass controls such as AAA authentication and virtual terminal (VTY) access control lists.
- Use ARP spoofing to impersonate IP addresses and bypass internal firewall restrictions for lateral movement within the network.
The operation predominantly affects older switches without endpoint detection and response (EDR) solutions, making detection difficult for defenders. The advanced techniques afford attackers persistent, nearly invisible backdoors into critical network infrastructure.
Indicators of Compromise (IoCs)
- Presence of a universal password containing the string “disco” on Cisco devices.
- Hidden configuration entries including account usernames such as dg3y8dpk, dg4y8epk, dg5y8fpk, dg6y8gpk, dg7y8hpk.
- Hidden EEM scripts: CiscoEMX-1 to CiscoEMX-5.
- Hidden ACL names: EnaQWklg0, EnaQWklg1, EnaQWklg2.
- Unexpected UDP traffic on Cisco switches even on closed or unused ports.
- Discrepancies or lack of device logs due to toggling or deletion by attackers.
- ARP spoofing activity within the network involving IP conflicts or impersonation.
- Modified router or switch configuration with unusual or missing changes due to timestamp resets.
Detection and Mitigation Recommendations
Detecting a Zero Disco compromise requires deep forensic analysis, often necessitating vendor support for low-level firmware inspections. Organizations should:
- Immediately update Cisco devices with the latest patches addressing CVE-2025-20352.
- Monitor network traffic for suspicious UDP activity and anomalous ARP behaviors.
- Use advanced network security solutions offering virtual patching, intrusion prevention, and behavioral analytics, such as Trend Micro Cloud One Network Security and Deep Discovery.
- Deploy endpoint detection and response (EDR) on network devices where possible.
- Conduct routine checks for IoCs including universal passwords, hidden config items, and log tampering.
- Isolate and remediate affected devices promptly with vendor or expert assistance.
Operation Zero Disco represents a significant threat to enterprise network infrastructure relying on vulnerable Cisco hardware. Proactive monitoring, rapid patching, and comprehensive security controls are essential to prevent these stealthy rootkits from compromising critical network operations.
This incident underscores the persistent risks posed by unpatched vulnerabilities in core networking hardware and the evolving sophistication of attackers leveraging zero-day exploits to establish hard-to-detect footholds in critical IT environments.
