Static Tundra Cisco CVE-2018-0171 active exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Static Tundra is an ongoing exploitation wave against CVE-2018-0171 in end-of-life Cisco networking devices, using the weakness to reach U.S. critical infrastructure and other organizations. The activity has been tied to FSB officers and has been reported across telecommunications, higher education, and manufacturing targets in North America, Europe, Asia, and Africa. The FBI warned in August that the group used the flaw over the past year to remotely execute arbitrary code on unpatched devices and breach companies across U.S. critical infrastructure sectors. Cisco continues to urge administrators to patch and harden affected systems because exposed devices remain vulnerable to abuse.
Related Happenings
Cisco Catalyst SD-WAN active exploitation wave
Exploitation Wave
First: 05.03.2026 14:15
Last: 05.03.2026 14:15
Sources 1
About this happening:
**Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Cisco Catalyst SD-WAN active exploitation wave
Exploitation WaveAbout this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Cisco Secure Firewall Management Center patch release (CVE-2026-20079, CVE-2026-20131)
Security Patch Release
First: 04.03.2026 21:12
Last: 04.03.2026 21:12
Sources 1
About this happening:
**Cisco Secure Firewall Management Center (FMC)** patch release for **CVE-2026-20131** and **CVE-2026-20079** addressed **CVSS 10** flaws that could let an **unauthenticated remot...
Cisco Secure Firewall Management Center patch release (CVE-2026-20079, CVE-2026-20131)
Security Patch ReleaseAbout this happening: **Cisco Secure Firewall Management Center (FMC)** patch release for **CVE-2026-20131** and **CVE-2026-20079** addressed **CVSS 10** flaws that could let an **unauthenticated remot...
Latest development: 20.03.2026 17:09
CISA ordered Federal Civilian Executive Branch (FCEB) agencies to apply security updates for CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22 after Cisco updated its bulletin on March 18 to warn of active exploitation in the wild. Amazon threat intelligence researchers said Interlock ransomware had been exploiting CVE-2026-20131 as a zero-day since the end of January, and Cisco said the web-based management interface could let an unauthenticated, remote attacker execute arbitrary Java code as root on an affected device.
Cisco Secure Firewall Management Center (FMC) authentication bypass and RCE flaws (multiple vulnerabilities)
Vulnerability
First: 04.03.2026 21:12
Last: 04.03.2026 21:12
Sources 1
About this happening:
**Cisco Secure Firewall Management Center (FMC)** has two **maximum-severity** flaws, **CVE-2026-20079** and **CVE-2026-20131**, that can let **unauthenticated attackers** take ov...
Cisco Secure Firewall Management Center (FMC) authentication bypass and RCE flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco Secure Firewall Management Center (FMC)** has two **maximum-severity** flaws, **CVE-2026-20079** and **CVE-2026-20131**, that can let **unauthenticated attackers** take ov...
Latest development: 20.03.2026 17:09
CISA ordered Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22 after Cisco and Amazon threat intelligence reported active exploitation; Cisco updated its bulletin on March 18 to warn that the vulnerability in the web-based management interface could let an unauthenticated, remote attacker execute arbitrary Java code as root, and CISA added the CVE to its KEV catalog as known to be used in ransomware campaigns.
Cisco security patch release for CVE-2026-20127
Security Patch Release
First: 26.02.2026 11:30
Last: 26.02.2026 11:30
Sources 1
About this happening:
**Cisco** released a fix for **CVE-2026-20127**, a **critical SD-WAN zero-day** that can let a remote unauthenticated attacker gain administrative access. The patch covers **Cisco...
Cisco security patch release for CVE-2026-20127
Security Patch ReleaseAbout this happening: **Cisco** released a fix for **CVE-2026-20127**, a **critical SD-WAN zero-day** that can let a remote unauthenticated attacker gain administrative access. The patch covers **Cisco...
APT44 years-long Russian campaign targeting Western critical infrastructure
Campaign
First: 16.12.2025 14:27
Last: 16.12.2025 14:27
Sources 1
About this happening:
A **years-long** Russian campaign by **APT44** targeted **Western critical infrastructure** from **2021 to 2025**, increasing the risk of credential theft and downstream network c...
APT44 years-long Russian campaign targeting Western critical infrastructure
CampaignAbout this happening: A **years-long** Russian campaign by **APT44** targeted **Western critical infrastructure** from **2021 to 2025**, increasing the risk of credential theft and downstream network c...
Timeline
-
21.08.2025 15:04 2 articles · 9mo ago
Static Tundra exploitation campaign expands across sectors
Campaign Scope UpdateFSB-linked Static Tundra is exploiting CVE-2018-0171 in Cisco IOS and Cisco IOS XE devices to target critical infrastructure and other organizations worldwide, with Cisco Talos reporting aggressive compromise attempts against unpatched telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe. The activity includes collection of configuration files from thousands of networking devices tied to US entities, unauthorized configuration changes on some vulnerable devices, reconnaissance inside victim networks, custom SNMP tooling for persistence and evasion, and use of the SYNful Knock firmware implant.
Show sources
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01