
RUSSIAN state‑sponsored APT actors have been observed exploiting two Cisco router vulnerabilities to breach critical infrastructure sectors, according to a joint advisory issued by the United States and its allies published on 13 July 2026. Reporting by SecurityWeek details the campaign which has hit organisations in communications, energy, finance and healthcare.
The older flaw tracked as CVE-2008-4128 carries a CVSS score of 4.3 MEDIUM and resides in the HTTP server component of Cisco IOS 12.4; it is a cross‑site request forgery that lets an attacker execute arbitrary commands when an authenticated administrator visits a malicious web page as noted in CISA’s KEV catalogue. The vulnerability affects Cisco 871 Integrated Services Routers and similar devices running the affected IOS release.
The more recent issue identified as CVE-2018-0171 is rated CVSS 7.5 HIGH and affects the SNMP service on a wide range of Cisco IOS and IOS XE devices; a specially crafted SNMP packet can trigger unauthenticated remote code execution or allow the extraction of device configuration details are available in the NVD entry. Both flaws have been marked as known exploited vulnerabilities by CISA.
Investigators have seen the APT actors send SNMP queries to harvest router configurations and then use the CSRF flaw to push malicious commands onto the compromised devices, enabling persistent access to the underlying networks. The joint advisory warns that the activity is ongoing and that the targeted sectors are vital to national security and economic stability. No specific threat actor group has been publicly named in the available sources.
Defenders should begin by disabling SNMPv1 and SNMPv2c on all Cisco routers, restricting SNMP access to trusted management networks and moving to SNMPv3 with strong authentication and encryption where possible. Router firmware must be updated to the latest patched release that addresses CVE-2018-0171, and the HTTP server should be hardened or disabled if not required for administration. Administrators are advised to use unique, complex passwords for the web interface and to avoid browsing untrusted sites while logged into the device.
Organisations should consult the CISA Known Exploited Vulnerabilities catalogue for CVE-2008-4128 and apply the mitigations listed there, ensuring compliance with Binding Operational Directive 22‑01 which requires federal agencies to remediate the flaw by 13 July 2026. Monitoring logs for unusual SNMP requests and unexpected HTTP POSTs to the router’s management interface can help detect ongoing exploitation attempts.