TLP-CLEAR- [ngCERT SECURITY ADVISORY ON POTENTIAL ROUTER IMPLANT TARGETING CISCO CATALYST AND IOS-BASED ROUTERS]

Advisory ID:   ngCERT-2026-010003

SUMMARY/DESCRIPTION

ngCERT is aware of a potential router implant campaign targeting Cisco Catalyst and IOS-based routers via weak SNMP, outdated firmware, and unsecured management services. Cisco Catalyst switches and IOS‑based routers are being targeted globally by Advanced Persistent Threat (APT) groups seeking to utilize Cisco Catalyst switches and IOS-based routers by abusing weak or misconfigured SNMP settings for tasking, control, and device modification. The implant is capable of enabling unauthorized access, configuration changes, credential theft, and data exfiltration. The implant may also maintain long-term persistence while avoiding detection, indicating a sophisticated threat actor skilled in exploiting network infrastructure.Its TTPs include SNMP‑based reconnaissance, exploitation of outdated IOS firmware, misuse of open or misconfigured services (HTTP, Telnet, SNMP), credential harvesting through insecure HTTP Basic Authentication, and data exfiltration over unencrypted channels. Organisations and users are advised to apply mitigation detailed in this advisory to strengthen device security and resolve exploitable weaknesses.

Damage:      Critical 

Probability:  High

Platform(s):  Cisco Catalyst switches and IOS-based routers.

CONSEQUENCES

The observed activity may lead to a range of potential impacts, such as:

1. Unauthorized access to network infrastructure.
2. Manipulation of routing and network traffic.
3. Theft of credentials.
4. Long-term persistence on devices.
5. Data leakage or exfiltration.
6. Potential service disruption or outages.

SOLUTION/MITIGATION

The following are recommended to mitigate this exploitable weakness:

1. Harden SNMP using SNMPv3, strong credentials, and restricted access.
2. Update and patch Cisco firmware, removing legacy or unpatched versions.
3. Disable insecure services and rely on encrypted management (HTTPS, SSH).
4. Improve access controls, segment management networks, and enforce strong passwords.
5. Monitor SNMP activity, log configuration changes, and watch for traffic anomalies.
6. Rotate credentials regularly and conduct incident response with configuration review and device rebuilding if needed.

HYPERLINK

• https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis?utm_source
• https://cert.gov.ng/advisories/risks-associated-with-end-of-life-cisco-catalyst-1900-2900-and-3900-series-routers
• https://www.cisa.gov/sites/default/files/2023-04/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers.pdf