[hroi]

You can learn the community string by monitoring traffic. The community string is included in each and every SNMPv2 PDU. SNMPv2 performs no handshake, so is vulnerable to trivial spoofing. Enterprises and ISPs reusing community strings on every device and never rotating them is not unheard of.

[tptacek]

Yes, obviously you can sniff community strings, but that only helps if you're speaking SNMP over the Internet.

Again the case I'm making is that this particular bug is really only useful for persisting onto networks you've already compromised.

[eitally]

I would not be surprised if there are companies & organizations out there using SNMP monitoring tools to monitor cloud hosted systems in the same on-prem instance they're monitoring their on-prem systems from.

I'm thinking specifically of my old company, which used Nagios to monitor a few hundred VMs on AWS in addition to the several thousand servers & all the networking gear running locally.