Cisco SNMP Flaw Exploited to Install Linux Rootkits

A new campaign dubbed "Operation Zero Disco" is actively exploiting a high-severity SNMP vulnerability (CVE-2025-20352) in older Cisco IOS and IOS XE devices. Attackers leverage the flaw to achieve remote code execution and deploy sophisticated Linux rootkits on unprotected systems. Once compromised, the malware establishes persistent access by creating a universal backdoor password and installing fileless components that disappear after a reboot. The rootkit allows threat actors to hide their activity, bypass access controls, delete logs, and move laterally across segmented networks. While newer hardware offers some protection, detection remains difficult, requiring low-level firmware investigation for suspected compromises.

Latest mentioned: 10-16

Earliest mentioned: 10-16

Sources

gbhackers.com securityonline.info thehackernews.com securityaffairs.com bleepingcomputer.com infosecurity-magazine.com cybersum.net

Also Read

BRONZE BUTLER Exploits LANSCOPE Zero-Day for Data Theft

In mid-2025, Secureworks CTU researchers uncovered a sophisticated cyber campaign by the BRONZE BUTLER group, exploiting a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. This group, active since 2010, has a history of targeting specific organizations and government entities. The vulnerability, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges. The campaign involved deploying Gokcpdoor and Havoc C2 frameworks, using legitimate tools like goddi and 7-Zip for data exfiltration. International cybersecurity authorities quickly responded, highlighting the severity of the threat.

10-31Read more →