Russia exploited a 7-year old Cisco flaw to target critical infrastructure, FBI warns   

The FBI issued a warning Aug. 20 that the Russian Federal Security Service’s (FSB) Center 16 has exploited a vulnerability in Cisco Smart Install and for the past year has been targeting critical infrastructure sectors in the U.S. and worldwide.

According to the FBI’s public service announcement, the FBI detected Russian FSB cyber actors, which Cisco Talos calls Static Tundra, exploiting simple network management protocol (SNMP) and end-of-life networking Cisco devices running with a CVSS 9.8 remote code execution (RCE) flaw from seven years ago, CVE-2018-0171.

Cisco Smart Install is a plug-and-play feature for “zero-touch” deployment of new switches. The FBI said the Russian cyber actors – also known to cyber pros as “Berserk Bear” and “Dragonfly” – collected modified configuration files to enable unauthorized access to those devices.

The actors then used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.

In the United States, the government has identified 16 critical infrastructure sectors, including the following: communications, energy, financial services, and water and wastewater.

“This isn’t just another patch-or-die bulletin, it’s a wake-up call declaiming the futility of reactive security,” said Roi Cohen, co-founder and CEO of Vicarius. “The realization that a seven-year-old vulnerability in Cisco’s Smart Install is still enabling Russian FSB-linked hackers to stealthily infiltrate critical infrastructure across continents should force us to rethink our foundational assumptions.”

Nic Adams, co-founder and CEO at 0rcus, added that the age of this vulnerability proves the persistence of legacy threats. Despite a patch and public advisory being available for years, many organizations have failed to remediate the flaw, said Adams.

“This is a systemic issue of inadequate patch management, where known vulnerabilities remain open for exploitation,” said Adams. “Ultimately, a low-cost, high-impact vector for even sophisticated state-sponsored actors.”

Adams explained that the Russian threat actors employ a multi-faceted approach: First, they exploit the unpatched CVE-2018-0171 vulnerability. Following a successful breach, they conduct network reconnaissance, focusing on industrial control system protocols. They also utilize sophisticated post-exploitation tools, such as custom SNMP tooling for persistence and the SYNful Knock firmware implant, to maintain covert access and evade detection for extended periods.

Ernest Lefner, chief product officer at Gluware, said the Static Tundra campaign highlights a simple truth: the most effective defense against state-sponsored exploitation of aging, unpatched devices is not a single patch or product—it’s disciplined lifecycle and vulnerability management.

“Organizations that continue to run end-of-life infrastructure are leaving doors open that sophisticated adversaries are eager to walk through,” said Lefner. “Automation is the key to closing those doors at scale. Enterprise capable automation enables IT teams to continuously assess device posture, automate patch deployment, and enforce lifecycle policies across complex, multi-vendor networks.”