A Russia-sponsored cyberattack campaign is targeting end-of-life Cisco devices that remain unpatched against CVE-2018-0171, a security flaw discovered seven years ago. This flaw was exploited by Chinese threat actor Salt Typhoon earlier this year and enables malicious actors to execute arbitrary code on targeted devices or enact denial-of-service conditions. 

In this instance, the Russia-sponsored group responsible for the attacks is known as as Static Tundra, Energetic Bear or Berserk Bear. The group has been active since 2015 and predominantly targets organizations in telecommunications, manufacturing, and higher education across the United States, Ukraine, and other countries. 

Below, security leaders discuss this campaign. 

Security Leaders Weigh In

Ernest Lefner, Chief Product Officer at Gluware: 

The Static Tundra campaign highlights a simple truth: the most effective defense against state-sponsored exploitation of aging, unpatched devices is not a single patch or product — it’s disciplined lifecycle and vulnerability management. Organizations that continue to run end-of-life infrastructure are leaving doors open that sophisticated adversaries are eager to walk through.

Automation is the key to closing those doors at scale. Enterprise capable automation enables IT teams to continuously assess device posture, automate patch deployment, and enforce lifecycle policies across complex, multi-vendor networks. Instead of waiting for the next CVE to make headlines, automated lifecycle management ensures that unsupported devices are flagged and phased out before they become liabilities, and vulnerabilities are remediated as part of a repeatable, policy-driven process.

For CIOs, the takeaway is clear: operationalizing lifecycle and vulnerability management through automation not only reduces attack surface but also shifts security posture from reactive to proactive. It’s a strategic investment that keeps the business resilient, compliant, and out of harm’s way.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd:

End of life devices are often removed from core observation, especially when tied to sunsetting applications and services.

Vulnerability management SLAs must apply to the company's entire attack surface — this FBI Alert underscores the importance of both maintaining a current inventory (knowing what's available to attackers), and how important continued vigilance of patching currency and configuration management remains until the devices is taken offline.

The impacted CVE (CVE-2018-0171) is a high scoring RCE (remote code execution) exploit — while some environments (like manufacturing, telecommunications, and other critical infrastructure) may face production delays for planned patching cycles — seeing a seven year delay for this kind of vulnerability to be widely exploited is a bit surprising.

Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit:

The Static Tundra campaign, attributed to Russian Federal Security Service (FSB) Center 16 (also known as Berserk Bear, Dragonfly and Energetic Bear), has been systematically exploiting CVE-2018-0171. It is a seven-year-old critical vulnerability in Cisco's Smart Install (SMI) feature that allows unauthenticated, remote threat actors to execute arbitrary code on affected devices.

This campaign cements recent threat research that 40% of vulnerabilities exploited by threat actors in 2024 were from 2020 or earlier, with 10% dating back to 2016 or earlier. Some exploited vulnerabilities even date back to the 1990s, demonstrating the extraordinary longevity of unpatched security flaws! Since these devices are out of support, they no longer receive security updates, leaving newly discovered vulnerabilities permanently unaddressed. This creates persistent attack vectors that threat actors can exploit indefinitely. Moreover, legacy systems are often harder to monitor and secure, making it difficult to inventory and detect compromises.

Customers should:

1. Maintain inventories of network infrastructure, including identification of devices approaching or at end-of-life status. Create a replacement roadmap for devices approaching or at EOL.
2. Prioritize vulnerabilities affecting internet-facing devices or critical infrastructure devices. 
3. Periodically review important settings and disable remote management completely.
4. Disable the use of legacy SMI protocols and other legacy, unsecure protocols such as SNMP v1/v2.