Hackers used Cisco zero-day to plant rootkits on network switches (CVE-2025-20352)

Threat actors have leveraged a recently patched IOS/IOS XE vulnerability (CVE-2025-20352) to deploy Linux rootkits on vulnerable Cisco network devices.

“The operation targeted victims running older Linux systems that do not have endpoint detection response solutions,” Trend Micro researchers shared.

Once a rootkit was implanted, it would set a universal password (containing the word “disco”) and install several hooks onto the IOSd (process) memory space, to make fileless components disappear after a reboot.

About CVE-2025-20352

In late September 2025, Cisco fixed an IOS/IOS XE vulnerability (CVE-2025-20352) exploited by attackers in zero-day attacks, but did not share additional details about the attacks.

CVE-2025-20352, a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, could lead to either a DoS condition or remote code execution, and the latter only if the attacker already had high-privileges a vulnerable device.

“An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks,” Cisco noted, and shared that the attackers were able to get their hands on valid local administrator credentials and use them to achieve remote code execution.

Researchers’ findings

Trend Micro discovered that the attackers exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices.

They wielded several exploits and targeted both 32-bit and 64-bit platforms. They also attempted to exploit a modified version of an old Telnet vulnerability (CVE-2017-3881), to achieve memory read/write at arbitrary addresses.

The researchers uncovered several exploits used by the attackers. One was used to install the Linux rootkit, and one to stop trace logging on the target device.

“Trend investigation also found a UDP controller component used to control the rootkit, and an arp spoofing tool on a Cisco switch,” the researchers shared.

“The UDP controller provides several powerful management functions: it can toggle log history on or off or delete log records entirely; bypass AAA authentication and bypass VTY access-control lists; enable or disable a universal password; conceal portions of the running configuration; and reset the timestamp of the last running-config write so the configuration appears never to have been changed.”

The arp spoffing tool can be used to make the traffic meant for the network device be sent to the attacker first.

What to do?

Cisco has advised customers to use the Cisco Software Checker or a form in the CVE-2025-20352 security advisory to check whether their devices are running an affected version, and to update them if they are.

Trend Micro has shared indicators of compromise related to these attacks, but also noted that there is no universal automated tool that can be used determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation (as they call it).

“If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions,” the researchers advised.

While the targeted devices may be older ones, the exploits can work on newer ones, as well.

“Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed,” the researchers added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!