Vulnerability
Campaign ×2
Advisory/Mitigation
Security Patch Release
Cisco IOS/IOS XE SNMP Zero-Day Exploitation and Operation Zero Disco
Updated 16.10.2025 21:13
Case score 71
Score breakdown
- Total
- 71
- Lead score
- 66
- Support bonus
- +5 / 20
- Scoring support
- 2
- Context members
- 2
Top contributors
- Vulnerability Anchors the exploited **Cisco IOS/IOS XE SNMP** flaw and core risk. base
- Advisory Mitigation Adds interim mitigation guidance for exposed SNMP-enabled systems. context
- Campaign Adds persistence and tradecraft details, including memory hooks and modified Telnet use. support
- Campaign Confirms **Operation Zero Disco** used the flaw as a zero-day and deployed rootkits. support
Case score 71
Members 5
Latest activity 16.10.2025 21:13
Active exploitation
Patch/mitigation varies by member
CVSS: 9.9 Critical
Active exploitation
Patch/mitigation varies by member
CVSS: 9.9 Critical
Members 5
First seen 24.09.2025 19:52
Last seen 16.10.2025 18:00
Updated 16.10.2025 21:13
Overview
Exploitation of **Cisco IOS and IOS XE** **CVE-2025-20352** has moved from zero-day disclosure into a campaign story in which **Operation Zero Disco** used the SNMP flaw to compromise network devices and plant persistence. Available reporting describes **Linux rootkits**, **IOSd** memory hooks, and follow-on abuse of a modified **CVE-2017-3881** path on older Cisco gear, especially **9400**, **9300**, and legacy **3750G** systems.
Cisco has issued fixed releases and interim SNMP-restriction guidance, but available evidence does not identify the operator or quantify victim count. The immediate priority is patching exposed **IOS/IOS XE** devices and reviewing potentially affected systems for persistence and configuration tampering.
Attackers are exploiting **CVE-2025-20352** in the **SNMP subsystem** of **Cisco IOS Software and IOS XE Software**, turning a stack-based buffer overflow into real-world compromise of network devices. Cisco said the flaw was exploited before fixes were available, and the issue can produce denial of service on unpatched systems or root-level code execution on vulnerable **IOS XE** devices when attacker privileges are sufficient.
Later reporting described the exploitation as **Operation Zero Disco**, a campaign that used the bug as a zero-day to deploy **Linux rootkits** on older, unprotected systems and to target **Cisco 9400**, **9300**, and legacy **3750G** devices. The activity also included attempts to use a modified **CVE-2017-3881** Telnet weakness for memory access, while operators embedded hooks in **IOSd** memory, used a UDP controller, and created a universal password built around the word **"disco"** to preserve access and conceal changes.
Cisco released patches for affected **IOS** and **IOS XE** versions, including fixes referenced for **IOS XE 17.15.4a**, and said there is no full workaround beyond moving to a fixed release. For systems that could not be upgraded immediately, Cisco advised restricting SNMP to trusted users, monitoring affected systems with **show snmp host**, and disabling affected object identifiers where supported, though those steps only reduce exposure.
Available material does not identify the operator behind **Operation Zero Disco**, does not quantify how many devices were compromised, and does not establish how broadly the rootkit techniques succeeded across exposed Cisco environments. What is clear is that **CVE-2025-20352** moved from zero-day disclosure into a persistence-focused intrusion story, so defenders need both patch deployment and compromise assessment on potentially exposed devices.