All news with #snmp tag

Zero Disco: Fileless Rootkits Target Legacy Cisco Switches

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.

Cisco SNMP Rootkit Campaign Targets Network Devices

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

Rockwell Automation Lifecycle Services SNMP Overflow

⚠️ Rockwell Automation reports a stack-based buffer overflow in its Lifecycle Services with Cisco offerings related to the Cisco IOS XE SNMP subsystem (CVE-2025-20352). An authenticated remote actor with low privileges can trigger a denial-of-service, and an actor with higher privileges and administrative access may achieve arbitrary code execution as root. A CVSS v4 score of 6.3 and a CVSS v3 score of 7.7 are provided. Rockwell and Cisco publish updates and mitigations; CISA advises minimizing network exposure and applying vendor fixes or recommended workarounds.

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

Cisco: Actively Exploited SNMP Flaw Risks RCE or DoS

🔒 Cisco has issued an urgent advisory about a high-severity SNMP vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software that has been exploited in the wild. The flaw is a stack overflow in the SNMP subsystem that can allow an authenticated remote attacker to cause a denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires SNMP community strings or valid SNMPv3 credentials and, for code execution, administrative (privilege 15) access. Cisco called out affected devices including Meraki MS390 and Catalyst 9300 series running Meraki CS 17 and earlier, and issued a fix in IOS XE 17.15.4a. There are no full workarounds; administrators should restrict SNMP access, monitor with "show snmp host", and consider excluding affected OIDs where supported.