Effects beyond one-time infection: According to Trend Micro, the campaign affected specific Cisco families, including 9400, 9300, and legacy 3750G switches. Affected organizations face more than a one-off compromise as infected switches can provide attackers a long-term, stealthy platform for lateral movement, data interception, or further payload delivery.Parts of the exploit are fileless or volatile, with some components disappearing on reboot, while hooks left in memory endure, and some functions are reactivated dynamically, all making detection complicated.”Currently, there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation,” the researchers said. “If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions.”Additional Trend recommendations include applying patches for CVE-2025-20352, hardening SNMP access (restrict management-plane reachability, enforce ACLs), and deploying network/endpoint detections that hunt for the indicators of compromise (IoCs) and unusual UDP SNMP controller traffic. Trend also recommended combining its Trend Cloud One Network Security, Trend Vision One, and Deep Discovery offerings for targeted network inspection and XDR against ZeroDisco efforts.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074585/zero-disco-campaign-hits-legacy-cisco-switches-with-fileless-rootkit-payloads.html
