Redazione RHC : 15 October 2025 21:53
A sophisticated attack campaign dubbed “Operation Zero Disk” has recently been detected, where threat actors are actively exploiting a critical vulnerability in the Cisco Simple Network Management Protocol (SNMP) to install Linux rootkits on vulnerable network devices.
Beginning in October 2025, the campaign impacted corporate networks, highlighting persistent risks in legacy infrastructure. The primary vulnerability, detailed in Cisco’s security advisory, stems from a buffer overflow in the SNMP authentication framework on Cisco IOS XE software.
Trend Micro observed an operation exploiting CVE-2025-20352, which allows remote code execution (RCE) and grants persistent unauthorized access, primarily targeting older Cisco switches that lack modern protections.
The investigation revealed that the attackers linked this phenomenon to a modified Telnet vulnerability derived from CVE-2017-3881 , which was repurposed for memory read/write operations instead of actual RCE.
Attackers send forged SNMP Get-Request packets to overflow the buffer, allowing arbitrary code execution on both 32-bit and 64-bit switch architectures.
Once exploited , the malware deploys a rootkit that sets a universal password containing the term “disk,” a subtle reference to ” Cisco ,” granting attackers broad access via authentication methods such as AAA and local logins. This password mechanism hooks into the IOSd storage space, providing fileless persistence that disappears upon reboot, complicating detection.
For 32-bit targets such as the legacy Cisco 3750G series, compromises showed fragmented SNMP packets carrying commands, such as “$(ps -a,” limited by byte-per-packet constraints. On 64-bit platforms, including the Cisco 9400 and 9300 series, exploits require elevated privileges to activate guest shells , allowing UDP-based controllers to perform advanced post-exploitation operations.
The campaign targets outdated Linux-based systems that lack endpoint detection and response (EDR) tools, using spoofed IPs and email addresses to ensure anonymity.
While address space layout randomization (ASLR) on newer models thwarts some attempts, the attack can still be successful, as observed in Trend Micro telemetry. Cisco assisted with the forensic analysis, confirming the impact on 3750G devices, which were phased out along with the active 9400 and 9300 lines.
Trend Micro recommends implementing Cloud One Network Security for virtual patching and intrusion prevention, along with Deep Discovery Inspector rules such as 5497 for UDP controller traffic. Immediately applying the CVE-2025-20352 patch is also recommended.
This move highlights the dangers of out-of-date network equipment, prompting businesses to prioritize updates amid growing state-sponsored and cybercrime threats.
Redazione