The National Security Agency (NSA), in collaboration with 17 international partners, has issued a joint Cybersecurity Advisory warning of ongoing exploitation of vulnerable network infrastructure by Russian state-sponsored actors. The advisory, titled “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” highlights the activities of the Russian Federal Security Service’s (FSB) Center 16, which has been targeting routers and switches across various critical sectors.
These sectors include the Defense Industrial Base, communications, energy, financial services, government facilities, and healthcare in both the United States and allied nations. This advisory builds upon a previous FBI Public Service Announcement from August 2025, which alerted organizations to Russian government cyber actors targeting networking devices associated with critical infrastructure.
Exploitation of Cisco Smart Install Vulnerability
A central focus of the advisory is the exploitation of CVE-2018-0171, a critical vulnerability in Cisco’s Smart Install feature. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to send crafted messages over TCP port 4786, potentially causing device reloads, remote code execution, or unauthorized configuration changes. The Smart Install feature is designed for zero-touch deployment of new switches but lacks authentication mechanisms, making it susceptible to misuse.
Recommended Security Measures
To mitigate these threats, the advisory recommends the following actions for network defenders:
- Implement SNMPv3 to replace insecure legacy SNMP versions.
- Use strong, unique passwords instead of default or reused credentials.
- Disable Cisco Smart Install entirely, as it has no legitimate use case in most production environments.
- Block TFTP, SMI, and SNMP protocols at the firewall perimeter.
- Upgrade software and firmware promptly to patch known vulnerabilities.
Additionally, organizations are advised to audit routers and switches for unexpected configuration changes or hidden processes and to replace unsupported end-of-life hardware that no longer receives patches.
International Collaboration
The advisory reflects a broad international coalition, with co-signing agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Department of Defense Cyber Crime Center, and cyber authorities from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden. This mirrors an earlier NSA-FBI collaboration in April 2026 that warned about Russian GRU actors exploiting small-office/home-office routers globally, including through TP-Link devices via CVE-2023-50224, as part of a campaign known as Operation Masquerade.
In that case, agencies urged users to reboot routers, disable remote management, change default credentials, and review VPN configurations for telework setups.
Poorly configured edge devices remain an attractive foothold for state-sponsored actors because routers and switches often receive less security scrutiny than servers or endpoints, yet they sit at the perimeter of enterprise networks. Once compromised, these devices can enable persistent access, credential harvesting, and lateral movement into sensitive systems supporting military, government, and critical infrastructure operations.
The NSA and its partners emphasize that basic security hygiene, such as disabling unnecessary services like Cisco Smart Install, implementing strong authentication measures, and keeping devices updated, is crucial in defending against these sophisticated threats.
Given the persistent targeting of network infrastructure by state-sponsored actors, organizations must prioritize the security of their routers and switches. Disabling legacy features like Cisco Smart Install, which lack proper authentication mechanisms, is a critical step in reducing the attack surface. Additionally, adopting modern, secure deployment solutions and adhering to best practices for network device configuration can significantly enhance an organization’s defense posture against these evolving threats.