Overview
- Cisco patched CVE-2025-20352 and its PSIRT confirmed the flaw was exploited in the wild as a zero-day.
- Trend Micro reports attackers combined the SNMP stack overflow with a modified Telnet bug based on CVE-2017-3881, with recovered exploit variants for 32-bit and 64-bit platforms.
- The implant sets a universal password containing “disco,” hooks into IOSd memory, and uses a UDP controller to hide configuration changes, bypass AAA or VTY ACLs, and toggle or delete logs.
- Observed targets include Cisco 9400 and 9300 series plus legacy 3750G devices and older Linux hosts lacking EDR, with ASLR on newer hardware reducing but not eliminating risk.
- Defenders are advised to apply Cisco updates, harden or disable SNMP and Telnet, restrict management access, use Trend Micro detection rules, and contact Cisco TAC for low-level firmware and ROM investigations.