When the Router Exfiltrates Its Own Configuration
A stolen router configuration can expose credentials and trusted management paths long after the device has been rebuilt.

An SNMP Set request can make a router write its own configuration to a file and send that file to another system.
That is the most consequential mechanism in a joint cybersecurity advisory published July 13, 2026. The participating agencies attributed the activity to actors associated with Center 16 of Russia’s Federal Security Service.
The actors scan for routers accepting legacy SNMP and weak or default community strings. They then use SNMP Set requests to invoke configuration-copy functions and transfer the resulting file, typically over TFTP, to external infrastructure.
The router performs the export through its own management plane. The actor does not necessarily need to install malware or obtain an interactive shell first.
For responders, the important question is not limited to whether the router was compromised. It is what the exported configuration disclosed and where that information can still be used.
The router performs the export
Host-centered detection is a poor fit for this activity. There may be no endpoint process, malicious executable, or conventional file-access alert. The device receives a management request, invokes a supported configuration-copy function, and initiates an outbound transfer.
The advisory provides example Cisco configuration-copy object identifiers that defenders can monitor. One identifies the configuration-copy subtree; the other specifies the destination server.
That list should not be treated as a complete signature. The destination-address object cited in the advisory, ccCopyServerAddress, supports IPv4 and is deprecated. Newer implementations can use ccCopyServerAddressType and ccCopyServerAddressRev1 instead.
A detector using exact matches for the advisory’s two example OIDs could miss a valid transaction using ccCopyServerAddressRev1. Prefix matching on the ccCopy subtree, combined with monitoring for SNMP Set requests, covers the replacement object.
Egress matters too. If routers can initiate arbitrary TFTP transfers, the configuration-copy function already has an exit path. The advisory recommends blocking external TFTP unless it is operationally necessary and monitoring it closely where blocking is not feasible.
The reported requests can also use spoofed source addresses. The NCSC’s 2017 router guidance, reviewed in 2018, explicitly pairs management-source allowlists with edge anti-spoofing so packets falsely claiming to originate from an approved management platform are dropped.
The file expands the incident
The configuration file can contain much more than evidence that a device was accessed.
Depending on the platform and configuration, it may reveal local credentials, SNMP community strings, management addresses, routing relationships, interface descriptions, access-control rules, neighboring systems, and trusted sources. Even when passwords are strongly protected, the file can provide enough topology and management context to guide further reconnaissance.
The FBI has documented both configuration collection and further activity in this campaign. In an August 2025 public service announcement, it reported that Center 16 actors had collected configurations from thousands of networking devices associated with US critical infrastructure entities during the preceding year.
On some vulnerable devices, the actors modified configurations to enable unauthorized access. They then used that access for reconnaissance that revealed interest in protocols and applications associated with industrial control systems.
The FBI did not say that every collected file contained reusable credentials or that every affected device led to deeper access. The public record nevertheless establishes that configuration collection, device modification, and downstream reconnaissance occurred within the same campaign.
Rebuilding the original router does not recover information that has already left it. If the file disclosed a shared credential, a management server, or a trusted source address, the remaining exposure exists outside the rebuilt device.
Follow what the configuration disclosed
A suspected configuration export should produce four immediate questions:
Was a configuration exported, and where was it sent?
Which credentials or shared secrets did it contain?
Where else were those credentials or trust relationships used?
What changed on the router or adjacent management systems?
The answers determine the response boundary.
A shared community string may extend the exposure to an entire class of devices. A reused local administrative credential requires review and likely rotation everywhere it is accepted. A disclosed management address, authentication server, or trusted source can identify paths that need separate investigation.
Responders should compare the current configuration with a trustworthy known-good version. The comparison should look for unexpected accounts, altered access-control entries, new routes or tunnels, changed management destinations, and services that were enabled without authorization.
Device logs should be preserved outside the router. A compromised device is a poor sole custodian of evidence about its own management activity.
This work is separate from restoring the router. Rebooting, replacing, or reimaging the device may remove immediate access, but those actions do not invalidate credentials or erase topology knowledge already obtained by the actor.
Reduce the management-plane exposure
Migrating to SNMPv3 with authPriv removes the cleartext community-string model and adds authentication and encryption. Both the joint advisory and the NSA’s SNMP abuse guidance recommend it.
The NSA guidance also states that SNMPv3 alone is insufficient. A compromised or over-privileged SNMPv3 credential can still reach sensitive objects unless its permissions are constrained.
The stronger control combines:
separate read and write authority;
MIB views exposing only required objects;
access-control lists limiting management traffic to approved systems;
a separate, preferably out-of-band management network;
monitoring for configuration-copy operations;
restrictions on unnecessary outbound management protocols.
Where older devices or management software cannot support authPriv, NSA identifies authNoPriv as the fallback but still directs operators to upgrade.
The practical response begins with two inventories: every device that still accepts SNMPv1 or SNMPv2, and every secret or trust relationship that would be disclosed if its running configuration left the network.
If the incident runbook stops after rebuilding the router, add the missing step. Examine the exposed configuration and follow its credentials, management paths, and trust relationships until the remaining access has been accounted for.





