Operation Zero Disco Cisco IOS/IOS XE rootkit campaign
Campaign
Summary
Hide ▲
Show ▼
A new campaign dubbed Operation Zero Disco exploited CVE-2025-20352 against Cisco IOS Software and IOS XE Software, enabling Linux rootkits and persistent access on vulnerable devices. The activity mattered because it was used as a zero-day before Cisco's patch, and it primarily hit Cisco 9400, 9300, and legacy 3750G series systems. It also included follow-on attempts using a modified Telnet flaw and stealthy infrastructure to broaden access and persistence.
Cases
Related Happenings
Cisco ThousandEyes and Nexus security patches
Security Patch Release
First: 21.05.2026 15:04
Last: 21.05.2026 15:04
Sources 1
About this happening:
Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...
Cisco ThousandEyes and Nexus security patches
Security Patch ReleaseAbout this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Cisco Secure Firewall Management Center patch release (CVE-2026-20079, CVE-2026-20131)
Security Patch Release
First: 04.03.2026 21:12
Last: 04.03.2026 21:12
Sources 1
About this happening:
**Cisco Secure Firewall Management Center (FMC)** patch release for **CVE-2026-20131** and **CVE-2026-20079** addressed **CVSS 10** flaws that could let an **unauthenticated remot...
Cisco Secure Firewall Management Center patch release (CVE-2026-20079, CVE-2026-20131)
Security Patch ReleaseAbout this happening: **Cisco Secure Firewall Management Center (FMC)** patch release for **CVE-2026-20131** and **CVE-2026-20079** addressed **CVSS 10** flaws that could let an **unauthenticated remot...
Latest development: 20.03.2026 17:09
CISA ordered Federal Civilian Executive Branch (FCEB) agencies to apply security updates for CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22 after Cisco updated its bulletin on March 18 to warn of active exploitation in the wild. Amazon threat intelligence researchers said Interlock ransomware had been exploiting CVE-2026-20131 as a zero-day since the end of January, and Cisco said the web-based management interface could let an unauthenticated, remote attacker execute arbitrary Java code as root on an affected device.
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Campaign
First: 17.02.2026 22:15
Last: 17.02.2026 22:15
Sources 1
About this happening:
The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
CampaignAbout this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
Latest development: 19.02.2026 17:30
CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.
VoidLink Linux C2 malware activity
Malware Activity
First: 09.02.2026 17:25
Last: 09.02.2026 17:25
Sources 1
About this happening:
**VoidLink** is an operational **Linux C2 framework** used by **UAT-9921** as a **post-compromise tool** against **technology and financial services** targets. Cisco Talos says th...
VoidLink Linux C2 malware activity
Malware ActivityAbout this happening: **VoidLink** is an operational **Linux C2 framework** used by **UAT-9921** as a **post-compromise tool** against **technology and financial services** targets. Cisco Talos says th...
Timeline
-
16.10.2025 14:38 3 articles · 7mo ago
Trend Micro discloses Operation Zero Disco Cisco IOS rootkit campaign
Initial DisclosureTrend Micro disclosed Operation Zero Disco, a campaign that weaponized CVE-2025-20352 against Cisco IOS Software and IOS XE Software as a zero-day to deploy Linux rootkits on older, unprotected systems. The activity primarily targeted Cisco 9400, 9300, and legacy 3750G series devices, used modified Telnet exploitation based on CVE-2017-3881, and enabled remote code execution and persistent unauthorized access through universal passwords and hooks in Cisco IOS daemon (IOSd) memory space, with spoofed IPs and Mac email addresses used in the intrusions.
Show sources
- Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in "Zero Disco' Attacks — thehackernews.com — 16.10.2025 14:38
- Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in "Zero Disco' Attacks — thehackernews.com — 16.10.2025 14:38
- Hackers exploit Cisco SNMP flaw to deploy rootkit on switches — www.bleepingcomputer.com — 16.10.2025 21:13