CISA, NSA, the FBI, DC3, and eighteen partner agencies across thirteen countries published joint Cybersecurity Advisory AA26-194A, “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” on July 13. It attributes a long-running campaign against internet-exposed network devices to FSB Center 16 — the same unit publicly linked to Berserk Bear/Static Tundra — and confirms active exploitation of CVE-2008-4128, a cross-site request forgery flaw in Cisco IOS 12.4 that CISA added to its Known Exploited Vulnerabilities catalog on the same day. Federal civilian agencies were given until July 16 to remediate under Binding Operational Directive 22-01.
What happened
The advisory describes an opportunistic, internet-wide operation rather than a targeted intrusion set. Center 16 operators scan for routers and other networking devices — particularly aging edge hardware at branch offices, industrial sites, and small ISPs — that still respond to SNMP with default or commonly known community strings such as public and private. Where SNMP write access succeeds, the actors abuse the Cisco CISCO-CONFIG-COPY-MIB to issue SNMP Set-Requests that instruct the device to copy its running configuration (typically saved as config.bkp or output.txt) out over TFTP to attacker-controlled or previously compromised infrastructure. Because router configs routinely embed VPN pre-shared keys, RADIUS/TACACS+ secrets, and additional SNMP strings, a single successful pull often yields credentials that let the actors pivot laterally to other devices and deeper into the network. The advisory also documents use of Generic Routing Encapsulation (GRE) tunnels to redirect and quietly capture traffic of interest once a device is under actor control.
Where SNMP alone doesn’t get them in, Center 16 falls back on known device vulnerabilities — most notably CVE-2018-0171 (Cisco Smart Install, CVSS 9.8) and CVE-2008-4128, an 18-year-old CSRF weakness in the HTTP administration interface of Cisco IOS 12.4 on devices like the 871 Integrated Services Router. CVE-2008-4128 lets an attacker trick an already-authenticated administrator into submitting forged requests to the /level/15/exec/- and /level/15/exec/-/configure/http URIs — one variant runs an arbitrary show privilege, the other injects a malicious alias exec command, effectively achieving arbitrary command execution once the CSRF succeeds. IOS 12.4 has been end-of-life for over a decade, so no patch is coming; the only remediation is decommissioning or fully isolating affected devices.
Impact
The targeting is sector-agnostic and global: the advisory names communications, defense industrial base, energy, financial services, government, and healthcare/public health among the affected verticals. The technique doesn’t require a zero-day — it exploits operational neglect (default credentials, unpatched EOL firmware, SNMPv1/v2 left enabled) at internet scale, which is precisely why it has stayed effective for years despite relying on ancient vulnerabilities. Any organization running unmanaged or “set it and forget it” edge routers, especially SOHO/branch gear reachable from the internet, should assume it is in scope.
Detection
The advisory calls out inbound SNMP Set-Requests targeting OIDs 1.3.6.1.4.1.9.9.96.1.1 and 1.3.6.1.4.1.9.9.96.1.1.1.1.5 (the CISCO-CONFIG-COPY-MIB copy operation) as a strong indicator of this exact TTP. Unexpected outbound TFTP sessions to unfamiliar hosts, and CSRF-pattern requests to /level/15/exec/-* on legacy IOS devices, are secondary signals.
Mitigation
- Migrate to SNMPv3 and disable SNMPv1/v2c outright; if v1/v2c must stay on temporarily, change default community strings immediately.
- Disable Cisco Smart Install on devices that don’t need it, and block TFTP, SMI, and SNMP at the perimeter firewall where not explicitly required.
- Identify and retire or fully air-gap any Cisco IOS 12.4 (or other EOL firmware) devices — CVE-2008-4128 has no fix and is now confirmed under active exploitation.
- Patch CVE-2018-0171 and audit for unauthorized configuration changes, unexpected GRE tunnels, and outbound TFTP traffic.
- Federal agencies: remediate per BOD 22-01 KEV timelines; everyone else should treat the July 16 deadline as the de facto industry bar.
Full advisory: CISA AA26-194A. KEV entry: CVE-2008-4128.