A campaign that exploited a Cisco Simple Network Management Protocol vulnerability to install Linux rootkits on exposed network devices has been observed.
The exploit, tracked as CVE-2025-20352 and detailed in a new analysis by Trend Micro, allowed remote code execution and persistent, unauthorized access by embedding hooks into IOSd memory and creating a universal password based around the word “disco.”
Exploit Mechanics and Control
Attackers combined the SNMP exploit with a modified Telnet flaw based on CVE-2017-3881 to read and write memory, and then used a UDP controller on infected switches to toggle logs bypass authentication and conceal configuration changes.
Trend Micro said the operation targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement.
Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms and found the operation impacted Cisco 9400 series, 9300 series and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation.
Attacks against 32-bit builds included an SNMP exploit that split command payloads across packets and a Telnet variant used to permit arbitrary memory access.
For 64-bit targets attackers needed guest shell access at level 15 to install a fileless backdoor and to use a UDP controller to perform management functions remotely.
Rootkit Capabilities and Detection
The rootkit granted several covert capabilities, including:
-
Acting as a UDP listener on any port for remote commands
-
Creating a universal password by modifying IOSd memory
-
Hiding running-config items such as account names EEM scripts and ACLs
-
Bypassing VTY ACLs and resetting the last running-config write timestamp
-
Toggling or deleting device logs
Currently, there is no universal automated test to confirm compromise by this operation. If compromise is suspected, device owners are advised to contact Cisco TAC for a low-level firmware and ROM investigation, and to apply vendor guidance and detection rules supplied by Trend Micro.
To prevent compromise, device owners should promptly install Cisco patches and firmware updates, remove or harden default SNMP community strings or disable SNMP when not required, and restrict management access to bastion hosts and dedicated admin networks.
They should also disable Telnet and guest shell or tightly control level 15 access, deploy endpoint detection on Linux hosts, implement strong ACLs and network segmentation, enable ASLR-capable hardware where available, and adopt the detection rules and hunting queries provided by Trend Micro.
Image credit: PJ McDonnell / Shutterstock.com
