Why Governments Are Sounding the Alarm on Router Security Hygiene
A sweeping multinational cybersecurity advisory, signed by 19 federal agencies spanning North America, the United Kingdom, Europe, and Australia, is sending a blunt message to enterprise IT teams: your router security hygiene is dangerously inadequate, and state-sponsored attackers are already inside your network because of it. The warning is not hypothetical. Russian government-linked threat actors are actively and systematically exploiting poorly configured network devices — primarily routers — to gain footholds in critical infrastructure sectors including energy, communications, financial services, healthcare, and government facilities.
What makes this advisory particularly striking is not the novelty of the attack methods — it is their age. The techniques being exploited have been well documented for over a decade. Yet organizations continue to leave the same doors open. For IT decision-makers, privacy professionals, and small business owners who rely on networked infrastructure, the implications are direct and urgent. This is not an abstract geopolitical issue; it is a practical security failure happening at the device level, right now, across organizations of every size.

How SNMP Exploits Turn Your Router Into a Spy Tool
At the technical core of these attacks is the Simple Network Management Protocol (SNMP), a standard framework used across virtually all enterprise environments to manage and monitor networked devices. The problem is that many organizations are still running SNMPv1 or SNMPv2 — legacy versions of this protocol that rely on what are called "community strings" for authentication. These are effectively shared passwords, and they frequently remain set to their factory defaults: well-known, publicly documented strings that any attacker can try within seconds.
According to the advisory, threat actors — using spoofed IP addresses to mask their origin — send SNMP requests to these devices, instructing them to copy their configuration files, typically named config.bkp or output.txt, and transfer those files to virtual private servers (VPS) under attacker control. These configuration files are the real prize. They contain plaintext or weakly encoded credentials, network topology details, and other sensitive organizational data that can be used to map and further penetrate a target's infrastructure.
Seva Ioussoufovitch, a senior research analyst at Info-Tech Research Group, put the situation plainly: "It might sound simple, but this tactic has been exploited for well over a decade, and is clearly still effective. Moving to SNMPv3, which offers stronger authentication and encryption, is a clear, actionable step security teams need to prioritize now."
Beyond SNMP, the advisory highlights exploitation of known Cisco vulnerabilities — specifically CVE-2018-0171, published in 2018, and CVE-2008-4128, published in 2008. Both vulnerabilities affect Cisco routers and grant remote, unauthenticated attackers the ability to execute arbitrary code, take unauthorized actions, or trigger denial-of-service (DoS) conditions. The fact that a vulnerability disclosed in 2008 is still being successfully exploited in enterprise environments is a damning indictment of patch management practices across the industry. The U.S. National Vulnerability Database (NVD) has detailed records of both CVEs, yet they remain unpatched on devices across critical sectors.
The groups responsible for these campaigns are well known within the cybersecurity community. Operating under names such as "Berserk Bear," "Crouching Yeti," "Dragonfly," "Energetic Bear," "Ghost Blizzard," and "Static Tundra," these are sophisticated, state-sponsored actors with a long track record of targeting Western infrastructure — a pattern extensively documented by researchers at organizations like Mandiant and detailed in threat intelligence reports from CISA and its international partners.
The "Set It and Forget It" Culture That Keeps Enterprises Vulnerable
Why, given the visibility of these threats, are enterprises still running decade-old vulnerable configurations? The advisory and independent security researchers point to a deeply embedded cultural and organizational problem: routers simply do not receive the same security attention as endpoints like laptops and servers.
"Many organizations still take a set-it-and-forget-it approach to routers, and don't track them like they would an endpoint," Ioussoufovitch noted. Unlike endpoint devices, routers are rarely subject to the same vulnerability scanning routines, patch management cycles, or asset tracking workflows. They are configured once, often by a network team, and then largely forgotten — sometimes for years, sometimes for the lifetime of the hardware.
Compounding the problem is an organizational accountability gap. In many enterprises, it is unclear whether the security team or the network operations team is responsible for router security. Each points to the other, and the result is that nobody owns the problem. This ambiguity is particularly dangerous given how central routers are to business continuity — a reality that actually increases the stakes of leaving them unpatched and misconfigured.
Legacy hardware is another persistent obstacle. Many organizations continue to rely on routers that have reached end-of-life (EOL) status, meaning the vendor no longer issues security patches or updates. The business case for replacing functional hardware is often difficult to make internally, even when that hardware represents a clear and documented security risk. According to research published by Gartner on network infrastructure risk management, organizations consistently underinvest in network device lifecycle management compared to endpoint security — a gap that state-sponsored actors have learned to exploit systematically.
What the Advisory Actually Tells You to Do — And Why It Matters for Digital Sovereignty
The practical recommendations from the 19-agency advisory are specific and actionable. For IT teams and security professionals, this is not a vague "improve your security posture" message — it is a step-by-step remediation checklist that should be reviewed against your current environment immediately.
| Recommended Action | Priority | Why It Matters |
|---|---|---|
| Upgrade to SNMPv3 with authPriv | Critical | Adds strong authentication and data encryption absent in v1/v2 |
| Disable SNMPv1 and SNMPv2 | Critical | Legacy protocols with no adequate authentication safeguards |
| Disable Cisco Smart Install (SMI) | Critical | Leaves devices open to unauthenticated remote access when left enabled |
| Enforce strong, unique passwords on all network devices | High | Eliminates trivial credential attacks exploiting defaults |
| Implement multi-factor authentication (MFA) | High | Adds a critical secondary layer against credential compromise |
| Block SNMP and file transfer methods at the firewall | High | Prevents data exfiltration even if a device is compromised |
| Retire end-of-life devices | Medium | EOL hardware receives no patches; risk is open-ended |
| Deploy anomaly detection on network traffic | Medium | Enables early detection of SNMP scanning and config exfiltration |
The agencies specifically urge enterprises to block SNMP and common file transfer protocols at the firewall perimeter, enforce allow lists for management protocols, and monitor logs and intrusion detection systems (IDS) for unusual credential patterns or misconfigurations. Where SNMPv1 or v2 cannot be immediately retired, the guidance recommends restricting them to read-only access as a minimum interim measure.
For European organizations operating under GDPR, these recommendations carry additional weight. A successful router compromise that leads to the exfiltration of configuration files containing network credentials or internal IP mappings can trigger GDPR breach notification requirements — particularly if that information enables downstream access to personal data. The intersection of network security hygiene and data sovereignty obligations means that European IT and privacy teams cannot treat this as purely an operational IT matter. It is a compliance issue as well.

Are Vendors Doing Enough? The Secure-by-Default Debate
While the advisory focuses on what enterprises must do differently, there is a growing and legitimate conversation about vendor responsibility. David Shipley of Beauceron Security, a cybersecurity firm focused on human risk management, argued that the burden of network device security should not fall exclusively on the customer. Vendors should be shipping products that are secure by default; customers should not need to manually disable legacy protocols or hunt through configuration menus to enable encryption that should be on out of the box.
"Building better and shipping secure by default would do even more than guidance alone. Right now, it's been trivial for attackers to compromise networking gear because the defaults work against defenders."
— David Shipley, Beauceron SecurityShipley's point is well taken in the context of the broader "secure by design" movement that regulators in the U.S., EU, and UK have been pushing. The European Union's Cyber Resilience Act, which entered into force and is being progressively implemented, establishes exactly this kind of obligation for manufacturers of connected products — requiring that devices be secure by default, with minimal attack surfaces and mandatory security update mechanisms. The advisory's findings effectively demonstrate what happens in the absence of such requirements: a vast installed base of devices with insecure defaults
Originally reported by CSO Online. Summarised and curated by European Purpose.