Overview
- Attackers weaponized CVE-2025-20352 in the SNMP subsystem to achieve remote code execution on IOS and IOS XE devices.
- The campaign primarily hit Cisco 9400, 9300 and legacy 3750G series gear, favoring environments without endpoint detection on Linux hosts.
- Intruders paired the SNMP bug with a modified Telnet technique linked to CVE-2017-3881 to read and write memory and control devices via a UDP listener.
- The rootkit implanted IOSd memory hooks, set a universal "disco" password, hid configuration items, bypassed VTY/AAA controls and could toggle or delete logs.
- Cisco patched the flaw late last month after in-the-wild exploitation, yet there is no universal test for compromise and owners are urged to follow vendor and Trend Micro guidance and contact Cisco TAC for low-level forensics.