Dr. Christopher Kunz
So there's apparently someone running around owning Cisco boxes with CVE-2025-20352, Trend Micro has found. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
However: This vuln requires privileges (Level15 according to TM's blog). How do the exploiters reach this level of privilege? There's mention of some IP spoofing trickery, do they impersonate a host that carries privilege just by its IP address? Anyone understand how they do it?
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

Trend Micro
Oct 16 at 8:58amWeb
Show threadMartinOct 16
@christopherkunz Every part of the vulnerability description says “authenticated” access, so the user already has quite a bit of access _already_ granted to them. This issue just allows them to take the device offline I think
Show threadDr. Christopher KunzOct 17
@martintheg Yes, the blog authors answered me last night (via the press department at Trend Micro): To run the exploit, the attacker must know the credentials for the Cisco devices, i.e. must have pre-existing access.
Show threadWhyrlOct 16

@christopherkunz I don't think TM's IP spoofing has anything to do with the original exploit; it seems more like an example of what an attacker can do once they've gained access.

The "admin privileges" part is confusing. SNMPv1 and v2c don't have a concept of privileges aside from read-only vs read-write, and an ACL to grant/deny visibility to various OIDs.

SNMPv3 can use user based authentication so maybe that's where the admin / level15 privileges come into it. But IMHO if someone has configured SNMPv3 users with root privileges, they're just asking for trouble.

Show threadDr. Christopher KunzOct 16

@whyrl I just re-read the Cisco advisory and it says, " To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device."
A couple of parentheses would have helped...

(SNMP (v1 | v2c) community string) || (SNMPv3 credentials && (admin || level 15 ) creds)

That's how i read it and that means that having the community string makes the attacker "authed".

Show threadDr. Christopher KunzOct 16
@whyrl Anyhoo, I reached out to the Trend Micro press contact to help clear this up.
Show threadRob DOct 16
@christopherkunz I think the article is confusing. The attacker would have to be inside the network first with knowledge of the snmp strings and network access to the snmp enabled interface. Once they have compromised the switches the arp spoofing is achievable but tricky and breaks things. I read it as how they got from a compromised internal host to a host in a protected DMZ by bypassing the firewall using the compromised switches, ie took over MAC address of target, see ettercap for example.
Show threadRob DOct 16
@christopherkunz I think to use this method from outside the network would only work if the switch was placed between the Internet router and the firewall and had a publicly routable ip accessible from the Internet with snmp enabled on it and with attacker knowledge of yeh string. The same switch would need to host the target or be connected to a switch that did. It’s not uncommon for switches to be deployed like that but generally they would be layer2 only and managed via console /term svr.