Cisco Smart Install unauthenticated RCE in IOS and IOS XE
Unauthenticated remote code execution in the Cisco Smart Install client on IOS and IOS XE. Patched by Cisco in March 2018 and still the primary access vector FSB Centre 16 uses against edge routers on critical-infrastructure networks per a July 2026 joint advisory.
- Vendor
- Cisco
- Product
- IOS and IOS XE with Smart Install client enabled
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- exploited-in-wild
- Published
A stack-based buffer overflow in the Smart Install image list handler in Cisco IOS and IOS XE. Smart Install is a zero-touch provisioning protocol that speaks over TCP 4786; where the client is enabled, an unauthenticated attacker with reachability to that port can send a crafted message that reaches the vulnerable parsing path and triggers either remote code execution or a device reload.
Public exploitation pattern (per the July 2026 CSA — Improve Router Hygiene): the observed use of this bug at scale is not shellcode. Actors read the running config off the device over TFTP, harvest credentials (including local users and SNMP community strings), and re-enter the environment through the ordinary management path — often after modifying the config to keep persistence.
Cisco’s remediation is unchanged since 2018:
- Upgrade to a fixed release listed in cisco-sa-20180328-smi2.
- Where Smart Install is not in active use, disable it with
no vstackin configuration mode.show vstack configshows current state.
Ongoing exploitation:
- 2025-08 — FBI PSA (I-082025-PSA) attributes ongoing exploitation to FSB Centre 16 (Berserk Bear / Static Tundra), citing more than a thousand compromised Cisco devices.
- 2026-07-13 — Joint advisory co-signed by Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, the UK and the US calls out the same CVE and the same actor as the current router-hygiene priority for critical-infrastructure operators. CSA — Improve Router Hygiene (PDF) · NCSC coverage.
