Security Affairs
Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cisco warns hackers are installing malicious ROMMON images on its devices

Cisco is warning enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images. Be aware network administrators, Cisco released a new Security Activity Bulletin referring a spike in attacks in which hackers use valid credentials on IOS devices to log in as administrators […]

Cisco Catalyst

Cisco is warning enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images.

Be aware network administrators, Cisco released a new Security Activity Bulletin referring a spike in attacks in which hackers use valid credentials on IOS devices to log in as administrators and then upload malicious ROMMON (IOS bootstrap) images to gain complete control of the devices

The ROM Monitor (ROMMON) is the program used to initialize the CISCO IOS devices, basically an attacker bu replacing it would have persistent access to the compromised device.

The attacker somehow accessed valid administrative credentials to access the CISCO devices, they aren’t exploiting any vulnerability, but experts speculate they are harvesting admin credentials to run the attacks and install the malicious ROMMON images.

CISCO ROMMON

“Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” states the advisory from Cisco.

“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.

 No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned.”

Cisco will no assign any CVE ID, because there isn’t any vulnerability, hackers are exploiting a feature that Cisco implements, as many others network gear manufacturers do.

The problem here is how the attackers got the Admin credentials, but we cannot blame Cisco for this.

As usual let me suggest to adopt strong passwords, and keep them safe.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

 

Pierluigi Paganini

(Security Affairs – CISCO, ROMMON)