Cisco Initiative to Address Security Risks in Aging Network Infrastructure
Cisco has announced a new initiative, "Resilient Infrastructure," aimed at mitigating the security risks posed by aging and unsupported network equipment, including routers and switches. The company is responding to the growing threat landscape, where generative AI is making it easier for attackers to exploit vulnerabilities in legacy devices, many of which are no longer supported with security patches or updates. Cisco's effort includes research, industry outreach, and technical changes to how it manages its own legacy products, with a focus on both its own and other vendors' equipment still in use.
As part of this initiative, Cisco will begin issuing explicit warnings to customers when their devices are approaching end-of-life or are configured insecurely. Over time, the company plans to disable insecure options by default and eventually remove them entirely from its products. This move comes after analyses revealed that Chinese nation-state actors have exploited known vulnerabilities in Cisco equipment during high-profile attacks on telecom providers. Cisco's approach aims to make secure configurations the default and to proactively alert administrators to risky settings, thereby reducing the attack surface presented by outdated infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Cisco pledges stronger security in network equipment
Cisco announced a commitment to improve security in its networking equipment, signaling planned security enhancements to its product portfolio. This development was reported by multiple outlets on November 20, 2025.
Cisco warns aging infrastructure raises security risks in AI era
Cisco publicly sounded an alarm that legacy and aging technical infrastructure is creating heightened cybersecurity risk as organizations adopt AI and increasingly complex networked systems. The warning was reported on November 20, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
With the Rise of AI, Cisco Sounds an Urgent Alarm About the Risks of Aging Tech
wired.com
Open sourceCisco Pledges More Security in Network Equipment
bankinfosecurity.com
Open sourceCisco Pledges More Security in Network Equipment
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Risks from Legacy and Unpatched Systems in Critical Infrastructure
A new Cisco report highlights the growing risk posed by legacy and unsupported systems within national critical infrastructure, revealing that nearly half of global business network assets were already aging or obsolete as of 2020. The United Kingdom, in particular, faces significant exposure, with 228 legacy systems identified across government in 2024 and over a quarter at high risk of operational or security failure. The report underscores that unsupported systems, often located at network edges, are prime targets for attackers, and that a majority of breaches in the EU during 2022 and 2023 exploited vulnerabilities with available but unapplied patches. Healthcare and other essential sectors are especially vulnerable due to concentrated use of outdated technology. Recent cyberattacks have increasingly targeted legacy firewalls and network devices, with state-sponsored groups exploiting known vulnerabilities in products from vendors such as Cisco, SonicWall, Palo Alto Networks, and Fortinet. Research indicates that 60% of enterprise firewalls fail high-severity compliance checks, reflecting deeper governance and patch management issues. Attackers are leveraging these weaknesses, often chaining exploits across network edges and VPNs, while defenders struggle with fragmented vendor alerts and outdated risk frameworks. The persistent use of unsupported technology and delayed patching continues to undermine national resilience and exposes critical infrastructure to significant cyber threats.
Mar 21, 2026
Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
Mar 21, 2026
CISA Binding Operational Directive to Remove End-of-Life Edge Devices Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) issued a **Binding Operational Directive (BOD)** ordering federal civilian agencies to identify and remove **end-of-life/end-of-service (EOS)**, internet-facing **edge devices**—citing **widespread active exploitation** by sophisticated threat actors, including activity with **ties to nation-states**. CISA warned that unsupported devices remain in service long after vendors stop providing firmware and security updates, making them persistently vulnerable to exploitation and a recurring entry point for high-impact intrusions. The directive requires agencies to inventory unsupported edge devices within **three months**, **decommission/replace** identified EOS devices on an accelerated timeline (reported as **within one year** for removal), and establish ongoing processes for **continuous discovery/monitoring** to prevent unsupported technologies from re-entering networks. Device categories called out include common perimeter and network infrastructure such as **firewalls, routers, load balancers, switches, wireless access points, network security appliances, and IoT edge devices**; CISA is also producing a government-wide list of EOS edge devices to guide compliance. Officials emphasized the action is **not tied to a single incident**, but reflects the sustained risk and observed exploitation of unsupported edge infrastructure across federal environments, while encouraging non-federal organizations to adopt similar practices.
Mar 21, 2026