Operation Zero Disco is a sophisticated cyberattack campaign leveraging a recently disclosed stack overflow vulnerability (CVE-2025-20352) in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software. This vulnerability allows an authenticated remote attacker to execute arbitrary code by sending specially crafted SNMP packets to vulnerable devices. The campaign primarily targets legacy Cisco switch models including the 9400, 9300, and 3750G series, which run older Linux-based IOS versions lacking modern endpoint detection and mitigation features. Once exploited, attackers deploy Linux rootkits that implant hooks directly into the IOS daemon (IOSd) memory space, enabling persistent remote code execution and unauthorized access. The rootkit sets a universal password containing the string "disco" (a play on "Cisco") by modifying IOSd memory, bypasses AAA authentication, disables logging, conceals configuration changes by altering timestamps, and hides itself by using fileless techniques that vanish after reboot. Additionally, attackers have attempted to exploit a modified Telnet vulnerability derived from CVE-2017-3881 to gain arbitrary memory read/write capabilities, although the full extent of this functionality remains unclear. The rootkit is controlled via a UDP listener component that can operate on any port, further complicating detection. Newer Cisco devices with Address Space Layout Randomization (ASLR) provide some defense, but repeated exploitation attempts can still succeed. Cisco released a patch shortly after the vulnerability disclosure, but the zero-day exploitation window allowed attackers to compromise unpatched systems. The campaign uses spoofed IP and MAC addresses to obfuscate attacker origin. No specific threat actor attribution has been made. The attack's stealth, persistence, and targeting of critical network infrastructure pose significant risks to organizations relying on affected Cisco hardware.

For European organizations, the impact of Operation Zero Disco can be severe, especially for enterprises, service providers, and government agencies relying on legacy Cisco network infrastructure. Compromise of core switches can lead to unauthorized persistent access, enabling attackers to intercept, manipulate, or disrupt network traffic, potentially affecting confidentiality, integrity, and availability of sensitive data and services. The rootkit's stealth capabilities make detection and incident response challenging, increasing dwell time and risk of lateral movement within networks. Disabling logs and hiding configuration changes impede forensic investigations. The universal password backdoor can allow attackers to maintain long-term control, bypassing standard authentication mechanisms. Organizations lacking endpoint detection and response (EDR) on network devices are particularly vulnerable. The exploitation of a Telnet-related memory vulnerability further expands the attack surface. Disruption or manipulation of critical network infrastructure could impact essential services, regulatory compliance, and business continuity. The campaign's targeting of older Cisco devices means organizations with delayed patch management or legacy hardware are at heightened risk.

European organizations should immediately verify the Cisco IOS and IOS XE versions running on their network switches, focusing on 9400, 9300, and 3750G series devices. Apply Cisco's official patches for CVE-2025-20352 without delay. Where patching is not immediately feasible, implement network segmentation to isolate vulnerable devices and restrict SNMP access to trusted management hosts only. Disable SNMP if not required or limit it to read-only mode with strict access controls. Deploy network monitoring solutions capable of detecting anomalous SNMP traffic patterns and unusual UDP listener activity on switches. Enable and regularly review logging on network devices, and implement integrity monitoring to detect unauthorized configuration changes or timestamp alterations. Introduce endpoint detection and response (EDR) solutions tailored for network devices where possible. Conduct thorough audits for the presence of the rootkit indicators, including unusual universal passwords and hidden processes in IOSd memory. Restrict Telnet access and disable legacy protocols in favor of secure alternatives like SSH. Employ strong authentication mechanisms and multi-factor authentication for network device management. Regularly update asset inventories and retire unsupported legacy hardware. Finally, conduct incident response exercises simulating rootkit infections to prepare teams for detection and remediation.