Dr. Christopher KunzOct 16
So there's apparently someone running around owning Cisco boxes with CVE-2025-20352, Trend Micro has found. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
However: This vuln requires privileges (Level15 according to TM's blog). How do the exploiters reach this level of privilege? There's mention of some IP spoofing trickery, do they impersonate a host that carries privilege just by its IP address? Anyone understand how they do it?
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trendâ„¢ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

Trend Micro
Show threadWhyrlOct 16

@christopherkunz I don't think TM's IP spoofing has anything to do with the original exploit; it seems more like an example of what an attacker can do once they've gained access.

The "admin privileges" part is confusing. SNMPv1 and v2c don't have a concept of privileges aside from read-only vs read-write, and an ACL to grant/deny visibility to various OIDs.

SNMPv3 can use user based authentication so maybe that's where the admin / level15 privileges come into it. But IMHO if someone has configured SNMPv3 users with root privileges, they're just asking for trouble.

Show threadDr. Christopher Kunz
@whyrl Anyhoo, I reached out to the Trend Micro press contact to help clear this up.
Oct 16 at 12:39pmWeb