New Rootkit Campaign Exploits Cisco SNMP Flaw to Gain Persistence
Trend Micro have reported a campaign exploiting a flaw in Cisco SNMP to install Linux rootkits on devices.
A campaign that exploited a Cisco Simple Network Management Protocol vulnerability to install Linux rootkits on exposed network devices has been observed.
The exploit, tracked as CVE-2025-20352, allowed remote code execution and persistent, unauthorized access by embedding hooks into IOSd memory and creating a universal password based around the word “disco”.
Attackers combined the SNMP exploit with a modified Telnet flaw based on CVE-2017-3881 to read and write memory, and then used a UDP controller on infected switches to toggle logs bypass authentication and conceal configuration changes.
Trend Micro said the operation targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement.
Author summary: New campaign exploits Cisco SNMP flaw to install Linux rootkits.