Surge in malicious scans for outdated routers: hackers hunting for old Cisco, Linksys gear
Researchers are warning of a surge in malicious scans for old, outdated, and vulnerable network equipment. Hackers are likely succeeding because these probes often come from compromised end-of-life Cisco, Linksys, and Araknis Networks devices.
Eclypsium, a supply chain security firm, is seeing a surge in malicious scans. The scans affect both consumer and enterprise equipment and have been traced back to compromised Cisco, Linksys, and Araknis routers.
The Shadowserver Foundation has previously warned about over 2200 newly compromised routers.
Since July 30th we are seeing an increase in scans coming from ~2200 compromised Cisco Small Business RV series routers , Linksys LRT series, & Araknis Networks (AN-300-RT-4L2W). Top affected: US but also many others.
undefined The Shadowserver Foundation (@Shadowserver) August 19, 2025
IP data on these scans shared in https://t.co/0nP5Z66SWx pic.twitter.com/lusq8pR1Uk
“It doesn’t matter to the attackers as long as it works,” Eclypsium said in a report.
“The attack tools and techniques, targeting network devices and IoT specifically, can range from the latest zero-day exploits to those that are 15 years or older.”
In the observed attacks, attackers specifically targeted:
- Cisco Small Business RV series routers, most of which are end-of-life (EOL) and do not receive firmware updates or support.
- Linksys LRT series models that have reached EOL, but may receive some extended support.
- Araknis Networks AN-300-RT-4L2W, which is EOL, and no firmware updates will be distributed.
Separately, the FBI has previously warned about hackers targeting outdated networking gear that accepts legacy, unencrypted protocols like Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP).
Despite the vulnerability, which is tracked as CVE-2018-017, being seven years old, Russian attackers are still successfully exploiting it.
The researchers warn that there is little visibility and prevention available for vulnerable routers used by individuals or small businesses – even if a patch is available, many do not apply it. Meanwhile, attackers can easily scan the internet for exposed devices.
“Every organization has dusty corners in IT – those systems, networks, and devices that lie dormant, don’t receive a lot of attention, but could cause a bad day in the future,” the report reads.
“The dusty corners contain older network gear and devices that are EOL, legacy Windows systems running proprietary software that cannot be upgraded, or applications that have not yet been retired and are missing security patches.”
The researchers urge the disabling and replacement of legacy unencrypted protocols, including TELNET and SNMP or SMI for Cisco devices, and the assurance that the systems are up-to-date.
What flaws are the most frequently scanned for?
Attackers scan IP addresses for vulnerabilities thousands of times daily. Shadowserver Foundation lists the most exploited vulnerabilities, and most of them are old.
Currently, attackers are the most active looking for Huawei Home Gateway HG532 devices. Almost 600 IPs hit the honeypots thousands of times. They have been searching for devices with a high-severity remote code execution vulnerability discovered in 2017, which enables attacks by sending malicious packets to a specific port.
Two newer SonicOS vulnerabilities take second and third place. One critical flaw from 2022 allows a remote unauthenticated attacker to cause a Denial of Service (DoS) or potentially execute code in the firewall. Another high-severity flaw from 2023 enables unauthenticated hackers to crash the firewalls. On average, around 300 IPs scan for them daily.
Hundreds of IPs probe daily for Cisco IOS XE vulnerabilities from 2023 or 2018, the Belkin Wemo flaw from 2019, the Realtek SDK bug from 2014, Zyxel Eir D1000 devices that have been vulnerable since 2016, and more.
The full list of the most active malicious probes can be found here.
