When cyber criminals go after routers and switches, it’s not noise. It’s control.
This week, reports confirmed that threat actors are exploiting a critical vulnerability in Cisco’s SNMP implementation (CVE 2025 20352) to deploy a rootkit on network switches. It’s another reminder that the infrastructure we rely on to see and defend our networks can also be turned against us.
At Critical Path Security, we’ve seen how these attacks evolve. A simple SNMP exposure turns into silent persistence, lateral movement, and data manipulation inside critical environments. This one is especially dangerous.
What Happened
Cisco IOS and IOS XE systems running certain builds are vulnerable to remote code execution through their SNMP stack. Once cyber criminals reach the SNMP interface, often left open for device management, they can execute code as root.
The exploit, active in the wild before Cisco’s advisory, targets several popular switch families: 9400, 9300, and the legacy 3750G. These are not obscure models; they’re sitting in enterprise cores, utility substations, and small business distribution closets all over the world.
Trend Micro researchers uncovered that attackers are deploying a rootkit they’ve dubbed part of Operation Zero Disco. The malware implants a hidden backdoor and configures a “universal access” password containing the word “disco.” From there, it hooks deep into the IOS process, hiding itself from config files, AAA, and logs.
Why It Matters
A compromised switch isn’t just another endpoint. It’s the heartbeat of your network.
This rootkit gives an adversary the ability to:
• Disable or spoof logs and monitoring
• Hide changes to configurations and access controls
• Listen on arbitrary UDP ports
• Move laterally through VLANs and subnets
• Spoof ARP traffic and impersonate trusted internal hosts
In some cases, even after a reboot, traces of the infection remain. Traditional forensic methods and log reviews won’t be enough.
For organizations that rely on these devices to maintain uptime and compliance, including those in energy, manufacturing, and local government, the implications are serious. If the network fabric itself becomes hostile, visibility collapses.
What to Do Now
Critical Path Security recommends immediate action.
1. Patch and Validate
Apply Cisco’s released firmware updates addressing CVE 2025 20352. Validate that no vulnerable images remain in your network.
2. Restrict SNMP Exposure
If SNMP is enabled, restrict it to the management plane only. Never expose it across operational or public networks. Move to SNMPv3 and enforce encryption and authentication.
3. Isolate and Monitor
Place all management interfaces in a separate, controlled VLAN. Implement out of band monitoring to ensure devices can’t tamper with their own logs.
4. Harden Configurations
Disable unused services. Audit AAA and VTY ACLs. Forward logs off box. Establish configuration baselines and automate drift detection.
5. Enhance Detection
Watch for anomalies:
• New UDP listeners
• Sudden config changes
• Disabled or missing log entries
• ARP or VLAN anomalies
Tools like Léargas XDR can correlate these signals across IT and OT layers, identifying hidden device behavior before a cyber criminal gains persistence.
6. Prepare for Response
If compromise is suspected, assume firmware manipulation. Engage vendor or trusted security partners with deep forensics capability.
We recommend maintaining golden firmware images, full configuration snapshots, and independent telemetry such as Zeek, NetFlow, or SPAN captures for validation.
The Bigger Picture
We’re witnessing the next evolution in infrastructure compromise. Cyber criminals aren’t just after servers or user accounts; they’re undermining the systems that define trust and control.
Network infrastructure has long been the blind spot in most organizations’ defensive posture. The same tools that keep networks running can provide near perfect cover for advanced intrusions.
At Critical Path Security, we believe the solution isn’t just patching. It’s visibility. By combining telemetry from switches, firewalls, endpoints, and cloud services, and correlating it through advanced analytics, defenders regain the advantage.
This incident should serve as a warning shot. If your visibility depends on the compromised device, you don’t have visibility at all.
References
BleepingComputer: Hackers exploit Cisco SNMP flaw to deploy rootkit on switches
Cisco Security Advisory: CVE 2025 20352
Trend Micro Research: Operation Zero Disco Technical Analysis