Cisco IOS/IOS XE SNMP Zero-Day Exploitation and Operation Zero Disco

**CVE-2025-20352** is a **Cisco IOS and IOS XE** **SNMP** stack-based buffer overflow that was **exploited in the wild** before Cisco’s fix, and later activity showed **Operation Zero Disco** using it to deploy **Linux rootkits** on **older, unprotected systems**. The campaign primarily affected **Cisco 9400, 9300, and legacy 3750G series devices**, and also included attempts to abuse a modified **Telnet** flaw based on **CVE-2017-3881** for memory access. The attacks enabled **remote code execution** and **persistent unauthorized access** through universal passwords and hooks in **IOSd** memory space.

A **Cisco** network-device **rootkit campaign** is exploiting **CVE-2025-20352** and a modified **CVE-2017-3881** Telnet flaw to gain persistent, unauthorized access on exposed devices. The operation matters because it can hide changes, bypass authentication, and survive long enough to enable follow-on movement across **Cisco 9400**, **9300**, and **3750G** environments. It has also been observed against older Linux hosts, showing a multi-stage access path rather than a one-off exploit.

A **new campaign** dubbed **Operation Zero Disco** exploited **CVE-2025-20352** against **Cisco IOS Software** and **IOS XE Software**, enabling **Linux rootkits** and persistent access on vulnerable devices. The activity mattered because it was used as a **zero-day** before Cisco's patch, and it primarily hit **Cisco 9400, 9300, and legacy 3750G** series systems. It also included follow-on attempts using a modified **Telnet** flaw and stealthy infrastructure to broaden access and persistence.

**Cisco** released **security updates** for **Cisco IOS and IOS XE Software** to fix **CVE-2025-20352**, a **zero-day** in the **SNMP subsystem** that was **exploited in the wild**. The flaw is a **stack overflow** in routers and switches that can be triggered with **crafted SNMP packets**; low-privileged attackers could cause **DoS**, while high-privileged attackers could achieve **remote code execution as root** on affected devices, including **Meraki MS390** and **Catalyst 9300** switches running **Meraki CS 17 and earlier**. Cisco said the vulnerability was fixed in **Cisco IOS XE Software Release 17.15.4a** and urged administrators to **update to a patched release** as soon as possible. Cisco also said operators who cannot upgrade immediately should **limit SNMP access** to trusted users as a temporary mitigation, and the same release addressed **13 other vulnerabilities**.

**Cisco** issued mitigation guidance for **CVE-2025-20352** on **SNMP-enabled IOS and IOS XE systems**, warning administrators to reduce exposure on devices that remain vulnerable. The guidance matters because the flaw is **actively exploited** and can enable **DoS** or even **root code execution** under specific conditions. Cisco's immediate advice is to **restrict SNMP access**, **monitor affected systems**, and **disable the affected OIDs** where supported.