Seven years on, CVE-2018-0171 draws a 13-state advisory
US, UK, and eleven allied governments co-signed a July 13 advisory naming FSB Centre 16 as the actor still pulling configs off end-of-life Cisco routers via CVE-2018-0171.
Thirteen governments co-signed a joint advisory on 2026-07-13 whose whole technical premise is a Cisco Smart Install bug from 2018. CVE-2018-0171 is the unauthenticated remote code execution in the Smart Install client that Cisco patched in March of that year, and the advisory, hosted on the DoD media server as CSA — Improve Router Hygiene, says it is still the primary way FSB Centre 16 gets onto edge routers on critical-infrastructure networks. The NCSC’s release names Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, the United States and the United Kingdom as co-signers, and the FSB actor as Centre 16 — tracked elsewhere as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.
The mechanics have not changed in seven years. Smart Install is a zero-touch provisioning protocol Cisco added to IOS and IOS XE so a distribution switch could image a new access switch off the network without a console cable. The client speaks over TCP 4786. Where the feature is enabled — which, on a lot of older gear, is the shipped default — an unauthenticated attacker on the same reachable segment can push a crafted message that reaches a stack overflow in the Smart Install image list handler. The public exploitation pattern the advisory describes is the simpler use of the same access: read the running config over TFTP, exfiltrate credentials, then either log back in through the normal management path or, per the advisory, modify the config to keep the door open. Cisco’s original March 2018 PSIRT advisory is still the reference for the bug itself; the mitigation is still the same one Cisco recommended then, which is to disable Smart Install where it is not in active use.
What is worth pausing on is what the co-signers are actually asking critical-infrastructure operators to do, because none of it is new. The advisory’s action list is the same list any network engineer would recognise: turn off Smart Install where nothing needs it; move off SNMP v1 and v2c to SNMPv3; block TFTP and SNMP at the perimeter; put unique, strong credentials on network devices; audit running configs against a known-good baseline for planted entries; and, the load-bearing item, replace end-of-life gear that no longer receives firmware updates. The BleepingComputer writeup notes MikroTik and TP-Link SOHO routers alongside the Cisco gear as observed targets — small-office kit that lands at branch offices and substations and stays there, patched or not, for the working life of the site.
That is the physical layer under the advisory: routers on the edge of critical-infrastructure networks that were installed when the CVE was new, that nobody has touched since, and that are still forwarding production traffic. The FBI’s August 2025 PSA on the same actor and the same CVE counted more than a thousand compromised Cisco devices at that point. Whatever the current figure is, seven years is long enough that the population of vulnerable gear is not the fleet Cisco patched — it is the fleet nobody ever patched, because the box was already in production the day the advisory came out and the maintenance window was already booked for something else.
The concrete action, if you have not done it: run show vstack config
on any IOS or IOS XE box on your network, and if the output shows Smart
Install as anything other than disabled, disable it. That single command
closes the door the advisory is about.
Found this useful? Share it.


