October 16, 2025 By Bill Toulas
Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices to deploy a Linux rootkit and gain persistent access.
The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.
According to cybersecurity company Trend Micro, the attacks targeted Cisco 9400, 9300, and legacy 3750G series devices that did not have endpoint detection response solutions.
In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company's Product Security Incident Response Team (PSIRT) saying it was "aware of successful exploitation."
