The National Security Agency, alongside 17 international partner agencies, released a joint Cybersecurity Advisory on July 9, 2026, warning that Russian state-sponsored actors continue to exploit vulnerable and poorly configured network infrastructure across critical sectors.
The advisory, titled “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” identifies the Russian Federal Security Service’s (FSB) Center 16 as the threat actor behind sustained campaigns against routers and switches worldwide.
The FSB’s Center 16 has compromised networks spanning the Defense Industrial Base, communications, energy, financial services, government facilities, and healthcare sectors in both the United States and allied nations.
This activity builds on an earlier FBI Public Service Announcement from August 2025 that flagged Russian government cyber actors actively targeting networking devices tied to critical infrastructure.
Central to the exploitation is CVE-2018-0171, a critical Cisco Smart Install vulnerability rated 9.8 on the CVSS scale, which allows unauthenticated attackers to send crafted messages over TCP port 4786 to trigger device reloads, execute remote code, or alter device configurations.
Recommended Hardening Measures
The joint advisory outlines five priority actions for network defenders to blunt this state-sponsored targeting:
Implement SNMPv3 to replace insecure legacy SNMP versions.
Use strong, unique passwords instead of default or reused credentials.
Disable Cisco Smart Install entirely, since it has no legitimate use case in most production environments.
Block TFTP, SMI, and SNMP protocols at the firewall perimeter.
Upgrade software and firmware images promptly to patch known vulnerabilities.
Security researchers tracking related campaigns note that organizations should also audit routers and switches for unexpected configuration changes or hidden processes, and replace unsupported end-of-life hardware that can no longer receive patches.
The advisory reflects an unusually broad coalition, with co-signing agencies including CISA, the FBI, the Department of Defense Cyber Crime Center, and cyber authorities from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden.
This mirrors an earlier NSA-FBI collaboration in April 2026 that warned about Russian GRU actors (tracked as APT28, Fancy Bear, and Forest Blizzard) exploiting small-office/home-office routers globally, including through TP-Link devices via CVE-2023-50224, as part of a campaign known as Operation Masquerade.
In that case, agencies urged users to reboot routers, disable remote management, change default credentials, and review VPN configurations for telework setups.
Poorly configured edge devices remain an attractive foothold for state-sponsored actors because routers and switches often receive less security scrutiny than servers or endpoints, yet they sit at the perimeter of enterprise networks.
Once compromised, these devices can enable persistent access, credential harvesting, and lateral movement into sensitive systems supporting military, government, and critical infrastructure operations.
The NSA and its partners emphasize that basic hygiene practices, rather than complex defenses, remain the most effective deterrent against these persistent state-level intrusions.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post NSA Urges Organizations to Disable Cisco Smart Install as Russian Hackers Target Routers appeared first on Cyber Security News.



