EXECUTIVE SUMMARY:
A campaign exploits a Cisco SNMP vulnerability CVE‑2025‑20352 to gain remote code execution on vulnerable switches and implant persistent Linux rootkits that enable covert, long-term access, and attackers also leverage an older Telnet and cluster-management weakness CVE‑2017‑3881 where available to broaden access and persistence. The attackers focus on older or unprotected switch builds where endpoint detection is limited, leveraging these vulnerabilities to establish backdoors and conceal their activity.
The vulnerability can be exploited via crafted SNMP packets to achieve remote code execution on affected IOS IOS‑XE devices, and the operation has targeted older switch models including the 9400, 9300 and legacy 3750G series. Once exploited, attackers install a Linux rootkit that modifies IOSd memory, creates a universal backdoor password, and uses techniques that make components fileless or transient across reboots; the actors also employed spoofed network identifiers and attempted related Telnet‑based access methods. Technical indicators and the vendor advisory describe the specific SNMP attack vector, affected builds, and recommended immediate mitigations.
This operation demonstrates that legacy or unprotected network infrastructure can be turned into persistent footholds that resist routine detection and forensic review; organizations should treat affected switch platforms as high priority for mitigation. Immediate actions should include applying vendor advisories and firmware updates where available, restricting or disabling SNMP with default community strings, enforcing least-privilege access to guest and management shells, auditing configuration and logs for signs of the UDP controller or unexpected universal passwords, and performing forensic validation of switches for in-memory hooks or rootkit indicators. Enhanced network segmentation, blocking suspicious SNMP Telnet traffic, and deploying device host telemetry to detect anomalous behavior are recommended to reduce risk.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Persistence | T1547.006 | Boot or Logon Autostart Execution | Kernel Modules and Extensions |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1014 | Rootkit | — |
| Credential Access | T1556.004 | Modify Authentication Process | Network Device Authentication |
| Discovery | T1046 | Network Service Scanning | — |
| Collection | T1602.001 | Data from Configuration Repository | SNMP |
REFERENCES:
The following reports contain further technical details: