Dr. Christopher KunzOct 16
So there's apparently someone running around owning Cisco boxes with CVE-2025-20352, Trend Micro has found. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
However: This vuln requires privileges (Level15 according to TM's blog). How do the exploiters reach this level of privilege? There's mention of some IP spoofing trickery, do they impersonate a host that carries privilege just by its IP address? Anyone understand how they do it?
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trendâ„¢ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

Trend Micro
Show threadWhyrlOct 16

@christopherkunz I don't think TM's IP spoofing has anything to do with the original exploit; it seems more like an example of what an attacker can do once they've gained access.

The "admin privileges" part is confusing. SNMPv1 and v2c don't have a concept of privileges aside from read-only vs read-write, and an ACL to grant/deny visibility to various OIDs.

SNMPv3 can use user based authentication so maybe that's where the admin / level15 privileges come into it. But IMHO if someone has configured SNMPv3 users with root privileges, they're just asking for trouble.

Show threadDr. Christopher Kunz

@whyrl I just re-read the Cisco advisory and it says, " To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device."
A couple of parentheses would have helped...

(SNMP (v1 | v2c) community string) || (SNMPv3 credentials && (admin || level 15 ) creds)

That's how i read it and that means that having the community string makes the attacker "authed".

Oct 16 at 12:38pmWeb