The Evolving Edge Threat: Persistence Through Routers and VPN Appliances

In 2025, state-aligned threat actors have increasingly shifted their focus toward internet-edge infrastructure — particularly routers and VPN appliances — as durable platforms for long-term persistence. Rather than relying solely on traditional endpoint compromise, these actors are exploiting legacy networking gear to gain strategic, persistent access with minimal visibility.

What Do These Attacks Look Like? 

Two recent campaigns highlight this evolution:

• Salt Typhoon (also tracked as "RedMike"), a China-linked threat group, has been observed compromising unpatched Cisco routers in telecom environments. The group leveraged exposed services and outdated firmware to deploy GRE tunnels, enabling persistent, covert access to target networks.
• Static Tundra, linked to Russian intelligence services, continues to exploit CVE-2018-0171 in Cisco’s Smart Install protocol — affecting end-of-life and unpatched devices. These intrusions allow attackers to extract configuration data, disable logs, and maintain footholds without detection.

These operations typically rely on tools already present in the firmware, such as embedded web servers or system binaries. Tactics include disabling logging, exfiltrating NetFlow data for reconnaissance, and evading traditional endpoint defenses by operating exclusively within networking layers.

Government alerts from U.S. and allied cybersecurity agencies have reinforced the urgency of this threat. They emphasize that many of these campaigns exploit known vulnerabilities in widely deployed devices — particularly in sectors like telecommunications, manufacturing and education.

What Should Defenders Prioritize? 

• Firmware Integrity: Only deploy signed firmware, validate via cryptographic hashes and enforce strict update controls.
• Segmentation and Zero Trust: Isolate management interfaces and avoid exposing device control ports to the internet.
• Telemetry Monitoring: Baseline and monitor SNMP, Syslog and NetFlow data for abnormal behavior.
• Supply Chain Assurance: Require SBOMs for all network gear and validate OEM update paths with TLS pinning or equivalent trust mechanisms.

If you have any questions about these threats or the steps you can take to mitigate them, please feel free to reach out to us at hello@networksgroup.com.

Sources

CISA/FBI Advisory on Legacy Network Device Exploits

Cisco Talos: Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

Dragos Year in Review 2025 – OT Threats

Recorded Future: RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers

‍

Published By: Daniel Parker, VP of Ethical Hacking, NetWorks Group

Publish Date: November 18, 2025