A seven-year-old vulnerability affecting end-of-life Cisco network devices is being exploited by a Russian state-sponsored cyber espionage group.
Cisco Talos stated that the group, known as Static Tundra, has been observed compromising Cisco devices for several years.
The Russia-aligned hacking group has been exploiting apreviously disclosed vulnerabilityin the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171)that has been left unpatched, often after those devices have reached their end-of-life date.
The FBI and Cisco Talos issued separate warnings about the campaign on August 20, 2025.
“Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled,” Cisco Talos’ threat advisory warned.
Customers have been urged to apply thepatch for CVE-2018-0171or to disable Smart Installif patching is not an option. The patch was first issued in 2018.
When exploited, the bug could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.
Victims of Strategic Interest to Russia
The FBI noted that it had observed Static Tundra collecting configuration files on thousands of networking devices associated with US entities across critical infrastructure sectors.
Cisco assessed that the primary targets of Static Tundra include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe.
Victims are typically selected based on their strategic interest to the Russian government.
Cisco Talos also noted that some victims are based in Ukraine.
The firm believes that Static Tundra will continue to focus on organizations of political interest in Ukraine and among its allies in the future.
Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war and have remained high since then, Cisco researchers noted.
Read more: Russian Espionage Operation Targets Organizations Linked to Ukraine War
Static Tundra, a Long-Term Threat
Static Tundra, likely a subgroup of Energetic Bear/Berserk Bear/Dragonfly, is a well-established threat group that has operated for over a decade.
The group has been attributed to the Russian Federal Security Service’s (FSB) Center 16.
The FBI noted that since 2015, this unit has compromised networking devices globally, particularly devices accepting legacy unencrypted protocols like SMI and Simple Network Management Protocol (SNMP) versions one and two. This unit has also deployed custom tools to certain Cisco devices, such as the malware publicly identified as SYNful Knock in 2015.
Cisco has assessed that the group has two primary operational objectives. One is to compromise network devices to gather sensitive device configuration information that can be leveraged to support future operations.
The second is to establish persistent access to network environments to support long-term espionage.
The analysis by Cisco noted that because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices.
Static Tundra utilizes bespoke tooling that prioritizes persistence and stealth to achieve these objectives. Among this tooling is a bespoke tool that allows Static Tundra to automate the exploitation of CVE-2018-0171.