Dr. Christopher KunzOct 16
So there's apparently someone running around owning Cisco boxes with CVE-2025-20352, Trend Micro has found. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
However: This vuln requires privileges (Level15 according to TM's blog). How do the exploiters reach this level of privilege? There's mention of some IP spoofing trickery, do they impersonate a host that carries privilege just by its IP address? Anyone understand how they do it?
Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series.

Trend Micro
Show threadMartinOct 16
@christopherkunz Every part of the vulnerability description says “authenticated” access, so the user already has quite a bit of access _already_ granted to them. This issue just allows them to take the device offline I think
Show threadDr. Christopher Kunz
@martintheg Yes, the blog authors answered me last night (via the press department at Trend Micro): To run the exploit, the attacker must know the credentials for the Cisco devices, i.e. must have pre-existing access.
Oct 17 at 7:04amWeb