AA26-194A: Block SNMP/TFTP and Disable Cisco Smart Install

CISA, NSA, the FBI, and international partners are warning that Russian Federal Security Service Center 16 actors are exploiting poorly configured and vulnerable networking devices. Joint advisory AA26-194A specifically highlights abuse of Simple Network Management Protocol configuration-copy functions, transfers over Trivial File Transfer Protocol, Cisco Smart Install exposure, Internet-reachable management services, and weak Cisco password-storage types.
The advisory names communications, defense, energy, financial services, government, and healthcare as high-risk sectors. Organizations in those sectors should treat the warning as an immediate priority. The underlying hardening practices are also prudent for any organization operating Internet-connected routers, switches, or network-management services.
The activity is tracked under several industry names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. Whatever label a security team uses, the immediate response is the same: reduce management-plane exposure, disable obsolete or unnecessary services, and look for configuration-copy activity that does not match authorized administration.

Cybersecurity analysts monitor global network threats, exposed devices, alerts, and management access.First 30 Minutes: Reduce Exposure Now​

Do not wait for a complete architecture review before addressing the most dangerous exposures. In the first 30 minutes:
  1. Identify Internet-facing network-management interfaces.
    Review external firewall rules, NAT mappings, cloud security controls, device access lists, and the organization’s external attack-surface inventory. From an authorized external scanner, test public addresses for the management ports listed below. Confirm findings with the network team so that a filtered port is not mistaken for a disabled service.
  2. Block the listed external ports where they are not mission-critical.
    Deny unnecessary Internet-originated traffic to UDP 69, UDP 161, UDP 162, TCP 4786, and TCP or UDP 10161 and 10162. Apply the control at the external firewall or upstream enforcement point, then repeat the authorized external scan to verify that the services are no longer reachable.
  3. Disable Cisco Smart Install, also called SMI.
    Check the device’s running configuration and service status using the vendor-supported management interface. Disable Smart Install on every device where it is present, then verify externally that TCP 4786 is not reachable and internally that the service is no longer listening.
  4. Disable SNMPv1 and SNMPv2.
    Review each device’s active SNMP configuration rather than relying only on an inventory database. Remove legacy-version configuration where operationally possible. Verify the result by attempting authorized polling with SNMPv1 and SNMPv2 from a management host and confirming that both attempts fail.
  5. Verify SNMPv3 authPriv and authorized management-host restrictions.
    Confirm that required monitoring still works through SNMPv3 with authentication and privacy enabled. Check that only explicitly authorized management systems can reach the service and that permitted accounts have only the required object access. Test from both an authorized host and an unauthorized network location.
Cisco IOS and IOS XE syntax varies by release, platform, feature set, and deployed configuration. This article therefore does not provide generic commands that could be incorrect or disruptive on a particular device. Administrators should use the documented equivalent for the exact hardware and software release, preserve a recoverable configuration backup, and validate changes from an authorized test host. For non-Cisco equipment, use the device vendor’s documented procedures for disabling legacy SNMP, restricting management sources, and turning off unnecessary deployment services.

Russia Is Abusing Router Administration Functions​

AA26-194A describes activity in which FSB Center 16 actors scan Internet address ranges for networking devices and management services. The advisory maps this behavior to Active Scanning—Scanning IP Blocks, T1595.001, and Active Scanning—Vulnerability Scanning, T1595.002.
A central concern is abuse of SNMP Set-Requests. Where an exposed SNMP service permits the relevant write operation, a requester can use Object Identifiers, or OIDs, associated with device administration. The device may then perform a configuration-copy action through its own management functionality.
According to the joint advisory, the actors have directed devices to create configuration copies with names such as config.bkp and output.txt. The resulting file can then be transferred using TFTP to actor-controlled infrastructure. The advisory also discusses compromised FTP servers in connection with configuration transfers.
This can resemble unauthorized administration rather than conventional malware execution. Endpoint security installed on Windows workstations and servers may not observe the initiating action because it occurs on a router or switch. Network telemetry, device logs, firewall records, and configuration auditing are therefore essential parts of detection.
The FBI’s 2025 alert I-082025-PSA previously warned about Russian government actors targeting networking devices and critical infrastructure. AA26-194A provides additional technical indicators and mitigation priorities for defenders responding to FSB Center 16 activity.

Detection and containment values​

CategoryExact valueDefensive use
Cisco Config Copy OID1.3.6.1.4.1.9.9.96.1.1Alert on inbound SNMP Set-Requests involving this configuration-copy object
Cisco Config Copy Server Address OID1.3.6.1.4.1.9.9.96.1.1.1.1.5Examine the specified transfer destination and compare it with approved management infrastructure
Observed filenameconfig.bkpInvestigate unexpected creation or transfer
Observed filenameoutput.txtInvestigate unexpected creation or transfer
TFTPUDP 69Block externally unless mission-critical; correlate transfers with SNMP Set-Requests
SNMPUDP 161Block externally unless mission-critical; inspect requests from unauthorized sources
SNMP trapsUDP 162Block unnecessary external access
Cisco Smart InstallTCP 4786Disable SMI and verify the port is not externally reachable
SNMPv3-related management ports identified by the advisoryTCP/UDP 10161 and 10162Block externally unless mission-critical and explicitly authorized
Configuration-transfer protocolTFTPTreat unapproved transfers from network devices as high-priority events
Additional transfer protocol discussed by the advisoryFTPReview device-originated transfers to destinations outside approved infrastructure

Why Configuration-Copy Abuse Matters​

A router configuration is operationally sensitive. Even without assuming that every copied file contains the same information, unauthorized access to device configuration can help an actor understand how the device is administered and which controls are in effect.
That makes configuration theft more than a routine backup-policy violation. It can support follow-on activity by giving an attacker information that should be limited to trusted administrators. Defenders should consequently treat an unexplained configuration copy or transfer as a potential security incident, not merely an unusual maintenance task.
The most useful response is to compare device behavior with a known administrative workflow:
  • Which systems are allowed to issue SNMP Set-Requests?
  • Which accounts may invoke configuration-copy objects?
  • Which destinations are approved to receive backups?
  • Which protocols are approved for configuration transfer?
  • What filenames, transfer times, and change windows are expected?
  • Does the destination belong to the organization or an approved service provider?
A transfer should be escalated when the initiating host, destination, protocol, time, or filename does not match that baseline. The combination of an SNMP Set-Request involving a configuration-copy OID followed by a device-originated TFTP transfer is especially significant.

SNMPv3 Is Necessary, but It Still Requires Restrictions​

The agencies recommend disabling SNMPv1 and SNMPv2 and using SNMPv3 with authPriv, configured with the most modern encryption standard supported by the device. The authPriv setting provides both authentication and privacy for the management session.
Version selection is only one part of the control. Administrators must also restrict which hosts can contact the SNMP service and limit the objects that an authorized account can access. A Management Information Base, or MIB, allow list can reduce the set of permitted operations rather than giving every management account broad access.
Management optionSecurity posturePrimary riskRecommended treatment
SNMPv1Legacy SNMP versionExposure of an obsolete management service and potentially excessive accessDisable
SNMPv2Legacy SNMP versionSimilar management-plane exposure when unnecessarily reachable or writableDisable
SNMPv3 with authPrivAuthentication and privacy enabledRemains risky if exposed broadly or granted excessive object accessUse with modern supported encryption, authorized-host restrictions, and MIB allow lists
Cisco Smart InstallAutomated installation and deployment functionalityCan be abused when enabled and exposedDisable on all devices in accordance with the advisory
If an organization cannot immediately remove SNMPv1 or SNMPv2, it should follow the joint advisory’s interim safeguards, including changing default community strings and limiting access to read-only rather than read-write. That is a temporary risk-reduction step, not a reason to defer migration indefinitely.
Verification must test the effective control, not just the intended configuration. After a change:
  1. Poll the device with SNMPv3 authPriv from an authorized management host and confirm that required monitoring succeeds.
  2. Attempt the same authorized operation from a network location that is not on the permitted management-host list and confirm that it fails.
  3. Attempt SNMPv1 and SNMPv2 polling from the authorized host and confirm that the legacy versions are rejected.
  4. Attempt a write operation only in a controlled maintenance window and only if the test is approved. Confirm that accounts intended for read-only monitoring cannot issue Set-Requests.
  5. Review device and firewall logs to ensure that denied requests are visible to monitoring personnel.
These tests distinguish a documented policy from an actually enforced one.

Turn the OIDs Into Detection Logic​

AA26-194A gives defenders two concrete Cisco objects to monitor:
  • Cisco Config Copy OID: 1.3.6.1.4.1.9.9.96.1.1
  • Cisco Config Copy Server Address OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.5
An inbound SNMP Set-Request involving these objects should be checked against the approved backup and automation process. The server-address object is particularly useful because it can identify the destination associated with the copy operation.
Detection should go beyond alerting whenever UDP 161 is contacted. Useful logic includes:
  • Alert when an SNMP Set-Request involving either listed OID comes from a host outside the approved management inventory.
  • Alert when the server-address value points to a destination outside approved backup infrastructure.
  • Correlate the Set-Request with an outbound TFTP session from the same network device.
  • Search transfer metadata and available device telemetry for config.bkp or output.txt.
  • Escalate when a device contacts a new or unapproved TFTP or FTP destination.
  • Compare the event time with maintenance windows, change tickets, and scheduled backup jobs.
  • Review whether the account or SNMPv3 principal had a legitimate need for write access.
Where packet inspection is available and legally authorized, intrusion-detection rules can look for inbound SNMP Set-Requests containing the listed OIDs. Device logs should be retained and forwarded so that an attacker cannot defeat an investigation merely by relying on limited local log storage.

Old Services Continue to Create Avoidable Exposure​

Cisco Smart Install is another priority in the advisory. NSA guidance issued in 2017 addressed Smart Install misuse and recommended disabling the feature. AA26-194A again tells organizations to disable Cisco Smart Install on all devices.
External communication over TCP 4786 should be denied unless an organization has a documented, mission-critical requirement. Even then, the service should not be broadly Internet-accessible. Administrators should verify both that the feature is disabled on the device and that external traffic to the port is blocked.
TFTP also appears in the observed configuration-copy workflow. The advisory recommends denying external communications over UDP 69 unless they are mission-critical. Organizations that legitimately use TFTP should document the expected source, destination, direction, and schedule, then alert on transfers that fall outside that pattern.
The same exposure-reduction principle applies to UDP 161 and 162 and TCP or UDP 10161 and 10162. Using a stronger protocol setting does not justify exposing a management service to arbitrary Internet hosts. Only approved management systems should have a network path to required device-management services.
The advisory also clarifies that CVE-2008-4128 affects end-of-life Cisco devices. Administrators should not treat that CVE as applying to every Cisco product. They should, however, identify unsupported equipment and plan replacement rather than assuming that firewall controls can permanently compensate for hardware or software that no longer receives normal vendor support.

Password Storage Can Increase the Impact of Configuration Theft​

AA26-194A includes specific Cisco password-storage guidance. For Cisco user credentials, the advisory recommends Type 8 and says to avoid Types 0, 4, and 7.
Administrators should apply that recommendation without relying on an oversimplified visual inspection of the configuration. The fact that a password value is not immediately recognizable does not establish that the configured storage type meets current guidance. The device configuration should be audited specifically for the declared Cisco password type.
A practical review should:
  1. Export or inspect the configuration through an authorized administrative process.
  2. Identify every Cisco user credential entry and its configured password type.
  3. Flag Types 0, 4, and 7 for remediation.
  4. Migrate supported credentials to Type 8 in accordance with Cisco documentation for the exact platform and release.
  5. Confirm that required administration still works after the change.
  6. Protect configuration backups and limit access to personnel and systems with a documented operational need.
If an unauthorized configuration transfer is discovered, organizations should not assume that blocking the destination completes the response. They should determine which credentials or secrets could have been exposed under the actual device configuration and rotate affected values as appropriate.

The Named Sectors Face the Highest Stated Risk​

The advisory identifies communications, defense, energy, financial services, government, and healthcare organizations as high-risk sectors. Organizations in those categories should prioritize exposed management interfaces and vulnerable or poorly configured networking devices in incident-response and remediation queues.
That scope should not be expanded into a claim that every organization faces the same assessed threat level. However, disabling unnecessary management services, restricting administrative access, using SNMPv3 authPriv, monitoring sensitive OIDs, and replacing end-of-life equipment are generally prudent practices for networks outside the named sectors as well.
The advisory is associated with NSA, CISA, the FBI, the Department of Defense Cyber Crime Center, and international partners from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden. For administrators, the useful takeaway is not the number of participating agencies but the consistency of the recommended controls.

Timeline​

2017: NSA publishes guidance addressing Cisco Smart Install protocol misuse and recommends disabling the feature.
2022: NSA publishes Cisco password-types best-practices guidance.
2023: NSA publishes its Network Infrastructure Security Guide.
2025: The FBI issues alert I-082025-PSA concerning Russian government actors targeting networking devices and critical infrastructure.
AA26-194A publication: CISA and its partners provide technical details, indicators, and mitigations for FSB Center 16 activity involving poorly configured and vulnerable networking devices.
The timeline shows that the central defensive measures are not dependent on a newly disclosed product flaw. They are established hardening steps that need to be applied and verified.

Network-Device Events Belong in Security Operations​

Windows-focused security teams do not need to take ownership of router engineering, but they should ensure that network-device incidents enter the same investigation process as identity, endpoint, VPN, and firewall alerts.
At a minimum, security operations should receive:
  • Network-device authentication events.
  • SNMP access and Set-Request events where the platform can provide them.
  • Firewall records for the listed management and transfer ports.
  • TFTP and FTP transfer telemetry involving routers and switches.
  • Alerts for the two Cisco configuration-copy OIDs.
  • Notifications when a network device contacts a new external destination.
  • Results from scheduled external scans of public management exposure.
  • Configuration-drift findings based on an approved baseline.
Correlations should focus on observable sequences. For example, an inbound SNMP Set-Request containing the Config Copy OID, followed by an outbound UDP 69 connection to an unapproved address and use of output.txt, is substantially more actionable than a generic SNMP-port alert.
Configuration baselines should be stored in a controlled repository separate from the managed device. That gives administrators an independent record for comparing approved settings with the current running configuration. Access to those backups should be restricted because the files themselves are sensitive.

Admin implementation and verification checklist​

  • [ ] Inventory every Internet-facing router, switch, firewall appliance, and network-management interface, including end-of-life devices.
  • [ ] Validate the inventory with an authorized external scan rather than relying only on internal records.
  • [ ] Deny unnecessary external traffic on UDP 69, UDP 161, UDP 162, TCP 4786, and TCP/UDP 10161 and 10162.
  • [ ] Repeat the external scan and preserve evidence that the ports are blocked or no longer listening.
  • [ ] Disable Cisco Smart Install using the vendor-documented procedure for the exact platform and release.
  • [ ] Confirm on the device that SMI is disabled, then verify that TCP 4786 is not externally reachable.
  • [ ] Disable SNMPv1 and SNMPv2.
  • [ ] Test from an authorized management host and confirm that legacy-version polling fails.
  • [ ] Configure required SNMP access through SNMPv3 with authPriv and the most modern encryption supported by the device.
  • [ ] Confirm that authorized monitoring succeeds through SNMPv3 authPriv.
  • [ ] Restrict SNMP access to approved management hosts and test from an unauthorized location to confirm rejection.
  • [ ] Implement MIB allow lists or the platform’s documented equivalent so accounts can access only required objects.
  • [ ] Alert on Set-Requests involving 1.3.6.1.4.1.9.9.96.1.1.
  • [ ] Alert on Set-Requests involving 1.3.6.1.4.1.9.9.96.1.1.1.1.5.
  • [ ] Investigate unexpected config.bkp and output.txt files or transfers.
  • [ ] Correlate sensitive SNMP Set-Requests with device-originated TFTP or FTP traffic.
  • [ ] Audit Cisco user credentials for Type 8 and remediate Types 0, 4, and 7.
  • [ ] Store approved configuration baselines separately from the devices and monitor for drift.
  • [ ] Patch supported firmware and software using the vendor’s documented process.
  • [ ] Create a replacement plan for end-of-life equipment.

The Decisions That Matter Before the Next Scan Arrives​

AA26-194A’s most useful conclusions are operational:
  • FSB Center 16 is targeting poorly configured and vulnerable networking devices.
  • SNMP Set-Requests can abuse legitimate configuration-copy functionality.
  • The Cisco configuration-copy OIDs give defenders precise detection targets.
  • TFTP transfers and the filenames config.bkp and output.txt provide additional correlation points.
  • SNMPv1 and SNMPv2 should be disabled.
  • Required SNMP should use SNMPv3 authPriv, authorized-host restrictions, and limited object access.
  • Cisco Smart Install should be disabled.
  • Unnecessary external access to UDP 69, UDP 161, UDP 162, TCP 4786, and TCP/UDP 10161 and 10162 should be blocked.
  • Cisco password Types 0, 4, and 7 should be replaced with Type 8 in accordance with the advisory and applicable Cisco documentation.
  • End-of-life equipment should be treated as a replacement issue.
The immediate goal is not to redesign the entire network in one maintenance window. It is to remove public management exposure, stop obsolete services, verify that required SNMP access is both protected and restricted, and create detections around the exact configuration-copy behavior described by the agencies.
Organizations that complete those steps will have reduced the attack surface before the next scan arrives. Those that also retain device telemetry, maintain independent configuration baselines, and correlate SNMP operations with outbound transfers will be in a much stronger position to recognize attempted configuration theft before it becomes the foundation for a broader intrusion.

References​

  1. Primary source: CISA
    Published: 2026-07-13T12:00:00+00:00
  2. Related coverage: infosecurity-magazine.com
  3. Related coverage: aha.org
 

Back
Top