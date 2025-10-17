Vulnerability Management, Patch/Configuration Management

Intrusions with Cisco SNMP bug facilitate Linux rootkit deployment

Older Linux systems have been compromised with rootkits in attacks involving the exploitation of a high-severity Cisco IOS and IOS XE Simple Network Management Protocol vulnerability, tracked as CVE-2025-20352, part of the Operation Zero Disco campaign, reports Security Affairs.

Attackers leveraged various exploits to compromise vulnerable Cisco 9400, 9300, and legacy 3750G devices with rootkits while abusing a modified version of the Telnet bug, tracked as CVE-2017-3881, for arbitrary memory read/write, an analysis from Trend Micro researchers showed.

Installation of the rootkit enabled remote control and VLAN connections for lateral movement, with the rootkit establishing a universal password with "disco" before injecting multiple hooks into IOSd memory.

"Newer switch models provide some protection via Address Space Layout Randomization (ASLR) which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed," said Trend Micro researchers.

