Executive Summary
In early October 2025, security researchers uncovered Operation Zero Disco, a targeted cyber campaign leveraging a stack overflow vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE software. Advanced persistent threat (APT) actors weaponized this SNMP flaw to access legacy Cisco networking equipment, deploying covert Linux rootkits and securing long-term persistence on compromised devices. The exploitation enabled attackers to bypass standard defenses, facilitate lateral movement, and maintain undetected access to sensitive east-west network traffic, significantly increasing risk for organizations relying on outdated infrastructure.
This incident highlights a growing trend of sophisticated actors exploiting unpatched or unsupported networking systems to achieve deep infrastructure compromise. With the resurgence of supply chain and infrastructure-based attacks, persistent network vulnerabilities demand heightened vigilance, rapid patch adoption, and robust segmentation. Industry-wide, there is mounting urgency to secure critical areas exposed by legacy systems and evolving attacker tactics.
Why This Matters Now
Operation Zero Disco demonstrates how APTs are targeting common but overlooked legacy vulnerabilities in core networking gear, leading to difficult-to-detect, persistent threats. As businesses accelerate digital transformation and increase reliance on hybrid networks, urgent action is required to secure aging assets and implement zero trust segmentation to contain lateral attacker movement.
Attack Path Analysis
Attackers exploited the SNMP stack overflow vulnerability (CVE-2025-20352) in unpatched Cisco IOS/IOS XE devices to gain initial access. After compromise, adversaries escalated privileges on affected Linux systems and deployed rootkits for persistence. They moved laterally across internal segments, targeting additional workloads via east-west traffic paths. Command & control was established through encrypted or covert outbound channels to manage payloads. Sensitive data was exfiltrated from compromised systems using allowed egress routes. The campaign's impact included persistent control and potential disruption or data manipulation in target environments.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited the SNMP stack overflow flaw (CVE-2025-20352) on exposed Cisco IOS/IOS XE devices to gain unauthorized access.
Related CVEs
CVE-2025-20352
CVSS 7.7A stack-based buffer overflow in the SNMP subsystem of Cisco IOS and IOS XE Software allows authenticated remote attackers to cause a denial of service or execute arbitrary code as root.
Affected Products:
Cisco IOS – See vendor advisory
Cisco IOS XE – See vendor advisory
Cisco Meraki MS390 – Meraki CS 17 or earlier
Cisco Catalyst 9300 Series – Meraki CS 17 or earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Create or Modify System Process
Exploitation for Privilege Escalation
Rootkit
Indicator Removal on Host
Network Service Discovery
Exploitation of Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components Against Known Vulnerabilities
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Segmentation and Isolation of Critical Services
Control ID: Network and Environment Segmentation
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical exposure to APT attacks exploiting Cisco network infrastructure vulnerabilities, requiring immediate IPS deployment and zero trust segmentation for carrier-grade systems.
Financial Services
High-risk sector for Linux rootkit deployment via SNMP flaws, demanding enhanced east-west traffic security and encrypted communications for regulatory compliance.
Health Care / Life Sciences
Vulnerable to sophisticated network intrusions through unpatched Cisco systems, necessitating multicloud visibility controls and HIPAA-compliant threat detection capabilities.
Government Administration
Prime target for advanced persistent threats exploiting network infrastructure, requiring comprehensive egress security policies and anomaly detection for critical systems protection.
Sources
- Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in 'Zero Disco' Attackshttps://thehackernews.com/2025/10/hackers-deploy-linux-rootkits-via-cisco.htmlVerified
- Cisco Security Advisory: SNMP Vulnerability in IOS and IOS XE Softwarehttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhteVerified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- Cisco warns zero-day vulnerability exploited in attacks on IOS softwarehttps://www.techradar.com/pro/security/cisco-warns-zero-day-vulnerability-exploited-in-attacks-on-ios-softwareVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Strong Zero Trust segmentation, inline intrusion prevention, egress policy enforcement, and east-west traffic controls could have disrupted the adversary at multiple points in the kill chain, limiting compromise, movement, and data loss. Multicloud visibility and anomaly detection would further enhance detection and response capabilities.
Control: Inline IPS (Suricata)
Mitigation: Blocked exploitation attempts by inspecting network traffic for known SNMP vulnerability signatures.
Control: Zero Trust Segmentation
Mitigation: Restricted privileged access and movement of exploited workloads via identity-based segmentation.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized internal communication between workloads.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous outbound communication patterns typical of C2 channels.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data exfiltration by enforcing strict egress filtering.
Minimized attacker persistence by orchestrating distributed policy enforcement and runtime controls.
Impact at a Glance
Affected Business Functions
- Network Operations
- IT Infrastructure Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of network configurations and sensitive operational data due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust segmentation and microsegmentation to prevent lateral movement between network resources.
- • Deploy inline intrusion prevention to detect and block exploitation attempts targeting network device vulnerabilities.
- • Implement strict egress controls to restrict outbound traffic and monitor for suspicious exfiltration or C2 activity.
- • Leverage real-time anomaly detection and logging for rapid exposure of abnormal behavior and early incident response.
- • Continuously update and audit hybrid/multicloud visibility and policy enforcement to quickly identify and close security gaps.
