Executive Summary

A previously undisclosed zero-day vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software has been under active exploitation by threat actors. The vulnerability, now tracked as CVE-2025-20352, is a stack overflow flaw that can be leveraged for remote code execution (RCE). Security researchers at Trend Micro have linked the exploitation to a campaign they call "ZeroDisco," which targeted Cisco Catalyst 9400, 9300, and legacy 3750G series switches. The attackers successfully implanted sophisticated Linux rootkits on compromised devices, which were designed to be fileless and evade detection. Cisco has since released security updates and is strongly advising customers to apply them to all affected networking equipment.

Vulnerability Details

• CVE ID: CVE-2025-20352
• Description: A stack overflow vulnerability exists in the SNMP subsystem of Cisco IOS and IOS XE Software. An authenticated attacker with high privileges could exploit this flaw by sending a specially crafted SNMP packet over IPv4 or IPv6 to an affected device.
• Impact: Successful exploitation can lead to a denial-of-service (DoS) condition or, more critically, allow the attacker to achieve remote code execution with elevated privileges on the underlying operating system.
• Prerequisites: The attacker must possess high-privilege read-write credentials for the target device to trigger the RCE condition. The DoS condition may be achievable with lower-privileged, read-only credentials.

Affected Systems

The vulnerability affects a range of Cisco devices running vulnerable versions of IOS and IOS XE software. The "ZeroDisco" campaign specifically targeted the following switch series:

• Cisco Catalyst 9400 Series Switches
• Cisco Catalyst 9300 Series Switches
• Cisco Catalyst 3750G Series Switches (Legacy)

Cisco has provided a form in its security advisory and the Cisco Software Checker tool to help customers determine if their specific software version is affected. The attackers appeared to focus on older Linux systems that often lack modern endpoint detection and response (EDR) capabilities, making network devices an ideal target for stealthy persistence.

Exploitation Status

Cisco confirmed that CVE-2025-20352 was exploited as a zero-day before a patch was available. The "ZeroDisco" operation involved a multi-step attack chain:

1. Credential Acquisition: Attackers first obtained high-privilege credentials for the target switches. The method of acquisition was not specified but could include brute-forcing, credential stuffing, or leveraging other vulnerabilities.
2. Initial Exploitation: The attackers sent a crafted SNMP packet to trigger the stack overflow in CVE-2025-20352 and gain RCE.
3. Secondary Exploits: The threat actors also used an exploit for a modified version of an older Telnet vulnerability, CVE-2017-3881, to achieve memory read/write capabilities at arbitrary addresses. This was used to further entrench their position on the device.
4. Rootkit Deployment: A Linux rootkit was implanted into the IOSd process memory space. This rootkit established a universal password containing the word "disco" and installed hooks to make its components fileless, meaning they would not survive a reboot, complicating forensic analysis.
5. Defense Evasion: The attackers used another exploit to stop trace logging on the device (T1070.001 - Indicator Removal: Clear Windows Event Logs), further hindering detection and investigation efforts.

Detection Methods

Detecting this compromise is challenging due to the attackers' anti-forensic techniques. However, organizations can take several steps:

• Vulnerability Scanning: Use the Cisco Software Checker or vulnerability scanners to identify devices running affected IOS/IOS XE versions.
• Log Analysis: Monitor for unexpected device reboots or crashes, which could indicate failed exploitation attempts. Although attackers attempted to clear logs, review any available SNMP, Telnet, and system logs for anomalous activity, such as access from untrusted IP addresses or unusual SNMP requests.
• Configuration Audits: Regularly audit device configurations for unauthorized changes, including the creation of unknown user accounts or suspicious passwords.
• Network Traffic Analysis: Use Network Traffic Analysis (D3-NTA) to monitor for unusual SNMP traffic patterns directed at your Cisco devices. Look for large or malformed SNMP packets.

Remediation Steps

1. Apply Patches: The primary remediation is to apply the software updates provided by Cisco that address CVE-2025-20352. This is a critical step to prevent both initial compromise and re-infection. This falls under Software Update (D3-SU).
2. Restrict SNMP Access: As a workaround and general best practice, restrict SNMP access to trusted management hosts only. Use robust Access Control Lists (ACLs) to filter SNMP traffic. If SNMP is not required, disable it entirely.
3. Harden Credentials: Enforce strong, unique credentials for all network devices. Avoid using default or easily guessable community strings for SNMP. Implement a Strong Password Policy (D3-SPP).
4. Isolate Management Network: Ensure that the management interfaces of network devices are on a segmented, isolated network that is not accessible from general user networks or the internet. This is a form of Network Isolation (D3-NI).