Dr. Christopher KunzOct 16
So there's apparently someone running around owning Cisco boxes with CVE-2025-20352, Trend Micro has found. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
However: This vuln requires privileges (Level15 according to TM's blog). How do the exploiters reach this level of privilege? There's mention of some IP spoofing trickery, do they impersonate a host that carries privilege just by its IP address? Anyone understand how they do it?
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

Trend Micro
Show threadRob DOct 16
@christopherkunz I think the article is confusing. The attacker would have to be inside the network first with knowledge of the snmp strings and network access to the snmp enabled interface. Once they have compromised the switches the arp spoofing is achievable but tricky and breaks things. I read it as how they got from a compromised internal host to a host in a protected DMZ by bypassing the firewall using the compromised switches, ie took over MAC address of target, see ettercap for example.
Show threadRob D
@christopherkunz I think to use this method from outside the network would only work if the switch was placed between the Internet router and the firewall and had a publicly routable ip accessible from the Internet with snmp enabled on it and with attacker knowledge of yeh string. The same switch would need to host the target or be connected to a switch that did. It’s not uncommon for switches to be deployed like that but generally they would be layer2 only and managed via console /term svr.
Oct 16 at 3:07pmWeb