Date issued: August 20, 2025
Alert number: I-082025-PSA
The FBI has issued a Public Service Announcement warning that Russian Federal Security Service (FSB) cyber actors are actively exploiting a known Cisco Smart Install vulnerability (CVE-2018-0171). This activity poses a critical risk to networking devices and critical infrastructure across the United States and internationally.
On this page
References and resources
- FBI Alert I-082025-PSA (Aug 20, 2025)
- Cisco Security Advisory (March 28, 2018)
- Cisco Talos blog, “Static Tundra” (Aug 20, 2025)
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2018-0171 entry
- Cisco Software Checker Tool
The issue
The attackers, attributed to FSB Center 16 and known as Berserk Bear, Dragonfly, and more recently Static Tundra, are exploiting a flaw in Cisco IOS and IOS XE Smart Install (SMI).
The vulnerability (CVE-2018-0171) allows an unauthenticated attacker to send crafted messages on TCP port 4786, potentially triggering device reloads, remote code execution, or unauthorized configuration changes. Although Cisco disclosed and patched this vulnerability in 2018, many end-of-life and unpatched devices remain exposed.
Who is affected
Any organization running Cisco IOS or IOS XE devices with Smart Install enabled is at risk. Devices running older, unsupported software versions are particularly vulnerable, especially when combined with legacy SNMP v1 or v2 protocols.
Possible impact
- Unauthorized access to routers and switches
- Theft of configuration files and credentials
- Persistence of attackers via hidden changes in device configurations
- Reconnaissance into industrial control systems and operational technology environments
What to do
Organizations are urged to:
- Audit routers and switches for unexpected configuration changes or hidden processes
- Apply Cisco security patches or upgrade to supported software releases
- Disable Smart Install and legacy SNMP protocols (v1 and v2) where possible
- Replace unsupported end-of-life networking hardware
- Report suspected compromise to the FBI Internet Crime Complaint Center (IC3)
How to check your devices
Cisco provides a Software Checker tool where you can confirm whether your specific platform and IOS or IOS XE version are affected by CVE-2018-0171. Enter the CVE ID or your software release to see if a patch is required.
Next steps
This vulnerability is being actively exploited and is rated 9.8 critical (CVSS 3.1). Unpatched or unsupported Cisco devices are at the highest risk. Apply updates, replace end-of-life hardware, and report suspected compromises through the FBI IC3 portal.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
