Enterprise Security Content Updates version 5.13.0 was released on August 22nd, 2025.

ESCU 5.13 is a rapid‑response release addressing active exploitation of Cisco Smart Install (CVE‑2018‑0171) by Static Tundra, a Russian state‑sponsored espionage group linked to FSB Center 16 and known for long‑term compromises of network devices. The actor is abusing a seven‑year‑old, already‑patched flaw on unpatched or EOL IOS/IOS XE gear to steal configurations and establish persistent access, including bespoke SNMP tooling and historic firmware implants such as SYNful Knock.

To mitigate this campaign, the Splunk Threat Research Team operationalized Cisco Talos’ PCAP patterns and tradecraft into high‑signal detections on cisco:ios telemetry. These detections surface Smart Install ingress on TCP/4786 and oversized SMI packets, follow‑on configuration/persistence actions (privileged account creation, SNMP community changes, interface modifications), and TFTP staging/exfiltration, with Cisco Secure Firewall mappings for unified triage.

This release provides security teams actionable hunts and earlier containment checks for a critical blind spot that typically sits outside EDR and has been abused for long‑dwell espionage (while engineering teams concurrently begin remediation in line with Talos/Cisco guidance to patch or turn on Smart Install, adopt SNMPv3, and harden management access). Given the campaign’s global scope (telecom, higher education, manufacturing across North America, Asia, Africa, and Europe) and the likelihood of similar activity by other state actors, this coverage is broadly applicable.

Enabled by our ongoing Cisco + Splunk Better Together collaboration, customers can rapidly receive high fidelity hunts to detect earlier, verify remediation, and reduce mean time to detection and containment, cutting dwell time across IOS/IOS XE and other current and legacy environments. Kudos to Cisco Talos for surfacing this emerging tradecraft and the Splunk Threat Research Team who rapidly operationalized this intelligence into actionable detections across Cisco product suite!