Cisco SNMP Vulnerability Exploited: Rootkit Attacks on Catalyst Switches

Threat actors are exploiting CVE-2025-20352, a Cisco SNMP stack overflow affecting Catalyst 9300/9400 and legacy 3750G switches, to achieve remote code execution. Crafted SNMP packets over IPv4/IPv6 deploy persistent Linux rootkits that set universal passwords, suppress logs, and open covert UDP listeners. Researchers observed chaining via a modified Telnet flaw to achieve deeper memory access. Risks include tampering with configuration, manipulating traffic, and extended dwell time. Mitigations include patches, SNMPv3, ACL restrictions, and enhanced monitoring.

About CVE-2025-20352 and the SNMP Attack Vector

Although long-known weaknesses in network management are familiar to defenders, CVE-2025-20352 raises the stakes by enabling remote code execution through a stack overflow in Cisco’s SNMP subsystem on 9400, 9300, and legacy 3750G switches.

The Cisco vulnerability is triggered by crafted SNMP packets over IPv4 or IPv6, particularly where default public community strings persist. Successful exploitation grants code execution within the control plane, enabling configuration manipulation, log suppression, and lateral visibility.

Analysts note overlap with a repurposed Telnet flaw (CVE-2017-3881) that extends memory access on affected platforms, compounding the impact. The pathway ultimately supports Linux rootkit placement and persistence, though precise post-exploit behaviors are beyond the scope of this section.

Organizations are urged to patch promptly and harden SNMP exposure, credentials, and ACLs.

How Attackers Leveraged the Flaw to Install Persistent Rootkits

Building on the remote code execution pathway outlined in CVE-2025-20352, attackers used crafted SNMP packets against Cisco 9400, 9300, and 3750G switches to drop and control Linux rootkits that persisted across sessions.

Leveraging the Cisco SNMP vulnerability, the intrusion established a universal password to streamline unauthorized access and lateral movement. The rootkit exposed a covert UDP listener on arbitrary ports, toggled logging, and deleted records to obscure changes.

Attackers chained a modified telnet vulnerability (CVE-2017-3881) to read memory structures, coordinate handlers, and manage the implant’s runtime features.

Although the rootkit’s configuration edits were intentionally volatile and reverted after reboot, its control channel reinitialized post-compromise, enabling stealthy reapplication of settings and sustained command execution without standard authentication barriers.

Key Findings From Researchers and Evidence of Exploitation in the Wild

Researchers confirmed active exploitation of CVE-2025-20352, documenting remote code execution on Cisco 9400, 9300, and 3750G switches to plant Linux rootkits.

Investigators observed an exploit chain that blended malicious SNMP packets with a modified Telnet bug (CVE-2017-3881), enabling code injection despite command-length limits. The malware carried a universal password that granted unauthorized access and streamlined lateral movement across Cisco infrastructure.

For stealth, the rootkit disabled logging and altered records to mask configuration changes. Packet captures and forensic images indicated ARP spoofing to impersonate trusted IPs, expanding reach and persistence.

Researchers validated the vulnerability under live conditions, tying implants to consistent indicators: segmented SNMP payloads, backdoored authentication routines, and tampered syslog settings, collectively evidencing active, at-scale abuse in operational environments.

Impact on Enterprise Networks and Potential Business Risks

Evidence of active exploitation of CVE-2025-20352 on Cisco 9400, 9300, and 3750G switches signals direct business impact: attackers can assume device control, manipulate routing and ACLs, and silently reroute or inspect traffic via rootkits.

For enterprises, this translates into material risks: loss of network integrity, lateral movement, and sustained unauthorized access to sensitive data.

Remote code execution on core switches enables covert configuration changes and selective traffic manipulation, leading to security breaches, compliance exposure, and potential service disruptions.

Remote code execution on core switches enables covert changes and selective traffic manipulation, driving breaches and disruptions

Rootkits that hide changes and disable logging extend dwell time and complicate incident response, inflating operational and forensic costs.

With 46% of environments facing password cracking, compromised credentials amplify the blast radius.

The absence of universal detection tools shifts the burden to resource-intensive, low-level investigations and to proactive monitoring.

Immediate Mitigation Steps and Hardening Recommendations for Cisco Devices

Act swiftly to contain CVE-2025-20352 by prioritizing software updates on affected Cisco 9400, 9300, and 3750G devices per Cisco’s advisory, then tightening SNMP exposure.

Organizations should immediately update affected devices, replace default community strings, and restrict access to trusted management hosts using interface ACLs.

Where feasible, disable the SNMP service, or limit it to SNMPv3 with strong authentication and encryption.

Segment management networks, block SNMP from untrusted zones, and remove legacy Telnet.

Enable SNMP event logging, baseline configurations, and continuously monitor logs for unauthorized changes.

Validate image integrity and re-verify startup configs after patching.

Implement Trend Micro Deep Discovery for proactive detection of Cisco exploits, integrate threat intelligence feeds, and automate alerting.

Conduct rapid compromise assessments and enforce least-privilege credentials.