Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco network-device rootkit campaign

Campaign
First reported
Last updated
Happening score
H score 58
1 unique sources, 1 articles

Summary

Hide ▲

A Cisco network-device rootkit campaign is exploiting CVE-2025-20352 and a modified CVE-2017-3881 Telnet flaw to gain persistent, unauthorized access on exposed devices. The operation matters because it can hide changes, bypass authentication, and survive long enough to enable follow-on movement across Cisco 9400, 9300, and 3750G environments. It has also been observed against older Linux hosts, showing a multi-stage access path rather than a one-off exploit.

Cases

Cisco IOS/IOS XE SNMP Zero-Day Exploitation and Operation Zero Disco (5)

Related Happenings

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
First: 24.04.2026 20:06 Last: 24.04.2026 20:06 Sources 1

About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...

Open Happening

Cisco security patch release for CVE-2026-20184

Security Patch Release
First: 16.04.2026 14:27 Last: 16.04.2026 14:27 Sources 1

About this happening: **Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...

Open Happening

Cisco ISE and ISE-PIC input-validation RCE (CVE-2026-20147)

Vulnerability
First: 16.04.2026 14:27 Last: 16.04.2026 14:27 Sources 1

About this happening: Cisco's **CVE-2026-20147** flaw in **Identity Services Engine (ISE)** and **ISE-PIC** can let authenticated admins reach **remote code execution** by sending **crafted HTTP reques...

Open Happening

Cisco IMC password change authentication bypass (CVE-2026-20093)

Vulnerability
First: 02.04.2026 14:01 Last: 02.04.2026 14:01 Sources 1

About this happening: Cisco released **security updates** for **Cisco IMC/CIMC** after a **password-change authentication bypass** was found that lets **unauthenticated attackers** gain **Admin access*...

Open Happening

Timeline

  1. 16.10.2025 18:00 2 articles · 7mo ago

    Cisco SNMP rootkit campaign disclosed

    Initial Disclosure

    A Cisco network-device rootkit campaign used CVE-2025-20352 against exposed Cisco SNMP services to install Linux rootkits, embed hooks into IOSd memory, and create a universal password based on “disco” for persistent unauthorized access; the same activity also used a modified Telnet flaw based on CVE-2017-3881, a UDP controller, and memory-access techniques that concealed configuration changes on Cisco 9400 series, 9300 series, and legacy 3750G devices.

    Show sources
    Open in new tab