Enterprise Security Content Updates version 5.13.0 was released on August 22nd, 2025.

ESCU 5.13.0 is a rapid-response release to active exploitation of Cisco Smart Install (CVE-2018-0171) by Static Tundra, a Russian state-sponsored espionage group linked to FSB Center 16 with a decade-long focus on compromising network devices for long-term intelligence. This threat actor is abusing a seven-year-old, already-patched flaw against unpatched or EOL IOS/IOS XE gear, to steal configurations and establish persistence, including bespoke SNMP tooling and historic firmware implants such as SYNful Knock.

To mitigate this active campaign, the Splunk Threat Research Team has operationalized Cisco Talos’ PCAP patterns and tradecraft into high-signal detections on cisco:ios telemetry that surface Smart Install ingress on TCP/4786 and oversized packets, follow‑on configuration or persistence actions (privileged account creation, SNMP community changes, interface modifications), and TFTP staging or exfiltration, leveraging Cisco Secure Firewall mappings for unified triage

These detections give teams concrete hunts and earlier containment checks to a critical blind spot that typically sits outside EDR and has been abused for long‑dwell espionage while your teams follow Talos guidance to patch or turn off Smart Install, adopt SNMPv3, and harden management access. Given the campaign’s global scope (telecom, higher education, manufacturing across North America, Asia, Africa, and Europe) and the likelihood of similar activity by other state actors, this coverage is broadly applicable.

As this is delivered through our ongoing Cisco and Splunk Better Together collaboration, customers get actionable hunts that help to verify remediation and reduce dwell time across both current and legacy environments.

Kudos to the ongoing Cisco and Splunk Better Together collaboration, with Talos surfacing emerging tradecraft, Splunk operationalizing it as we Splunk Threat Research Team, who have jointly created content for Cisco Duo, Secure Firewall, and NVM. This release shows how quickly joint research becomes actionable detections that customers can use to detect earlier, verify remediation, and reduce dwell time across IOS/IOS XE environments.

Enabled through our ongoing Cisco and Splunk Better Together collaboration, with Cisco Talos surfacing emerging tradecraft and the Splunk Threat Research Team rapidly operationalizing it into detections across the Cisco product suite, customers benefit from relevant, high-quality, and actionable detections to detect earlier, verify remediation, and reduce dwell time across IOS/IOS XE and other current and legacy environments.