The NSA, FBI, and CISA are telling Americans to reboot their routers weekly and harden home network equipment against Russian intelligence operatives who have been exploiting aging devices and outdated protocols. The joint advisory, tied to FBI alert I-082025-PSA, names Russia’s FSB as the actor behind campaigns that abuse Simple Network Management Protocol weaknesses and a seven-year-old Cisco vulnerability to burrow into consumer and small-office routers. For the tens of millions of households still running default configurations or end-of-life hardware, the agencies say a simple restart can disrupt memory-resident malware that survives ordinary use but not a power cycle.
FSB exploitation of home routers and why rebooting helps
Memory-resident implants are a favored tool of state-backed hackers because they live only in a device’s volatile RAM. They collect credentials, redirect traffic, and maintain persistent access to a target network, yet they vanish the moment the device loses power. That characteristic is exactly what makes a weekly reboot effective: it forces the malware to re-infect the device, giving defenders a recurring window in which the router is clean and the attacker must start over.
The joint cybersecurity advisory released by the NSA and its partner agencies underscores this dynamic. In its router hygiene guidance, the NSA stresses that volatile implants are disrupted by power cycles even when users have not applied the latest patches or changed their passwords. Rebooting does not remove an attacker’s ability to return, but it interrupts active operations, forcing adversaries to re-establish access and increasing the chances that anomalous activity will be noticed by internet service providers, enterprise defenders, or security tools watching network traffic.
The same advisory goes beyond the reboot recommendation. It calls on device owners to disable legacy protocols, specifically SNMPv2, and migrate to SNMPv3, which supports encryption and stronger authentication. The document also urges immediate patching of CVE-2018-0171, a Cisco Smart Install flaw first disclosed in April 2018 that FSB-linked actors continue to exploit years later. In combination, these steps are intended to make it harder for attackers to regain a foothold after each reboot, gradually shrinking the pool of vulnerable devices.
A reboot alone does not patch firmware or change weak passwords. But it does shorten what security professionals call “dwell time,” the period an attacker occupies a network before being detected or removed. In theory, enforced weekly reboots across a large population of consumer routers would compress that window from months to days. No public telemetry study has yet compared infection rates between households that reboot on a schedule and those that do not, but the logic tracks with well-documented behavior of volatile malware families that federal agencies have tracked since at least 2018.
What the FBI and CISA identified in the FSB campaign
The FBI’s public service announcement, designated I-082025-PSA, provides the operational detail behind the advisory. It states that FSB actors exploited SNMP on routers still configured with factory-default community strings, a known weakness that gives remote attackers read and sometimes write access to device configurations. The same bulletin flags end-of-life devices, routers that no longer receive security updates from their manufacturers, as a primary target because they will never be patched regardless of how many advisories agencies publish.
The Cisco Smart Install vulnerability CVE-2018-0171 appears prominently in the FBI’s findings. That flaw allows unauthenticated remote code execution on affected Cisco switches and routers. Cisco released a fix more than seven years ago, yet the FBI’s inclusion of it in a 2025 alert signals that a meaningful number of devices remain unpatched, particularly in small businesses and home offices where IT management is minimal or nonexistent. Attackers pairing this bug with weak SNMP configurations can move laterally from edge devices deeper into local networks, harvesting credentials or staging further compromises.
CISA’s own primary mitigations for operational technology reinforce the same set of actions: keep firmware current, enforce strong authentication, segment networks, and restart devices regularly. Although that guidance focuses on industrial and critical-infrastructure environments, the principles map closely to home and small-office routers. The agency first warned about Russian state-sponsored targeting of network infrastructure in an April 2018 alert, and the 2025 PSA explicitly builds on that earlier record, indicating the threat has persisted across multiple U.S. administrations without a decisive resolution.
In both the FBI and CISA materials, end-of-life hardware stands out as the softest target. Once a vendor stops shipping updates, every newly discovered vulnerability becomes a permanent opening. FSB-linked operators, according to the PSA, have systematically scanned for such devices, pairing automated discovery with known exploits and weak default settings. This strategy allows them to compromise large numbers of routers with relatively little effort, turning consumer equipment into a distributed access layer for espionage or follow-on attacks.
Gaps in the reboot guidance and what to watch next
The weekly reboot recommendation carries a notable gap. No primary NSA, CISA, or FBI document reviewed for this advisory specifies a weekly cadence for consumer routers or phones. The agencies describe rebooting as a best practice and list it among hardening steps, but the precise “once a week” interval appears to originate from secondary reporting and earlier NSA mobile-device guidance rather than from the text of the joint router advisory itself. Readers should treat the weekly figure as a reasonable minimum informed by agency thinking, not as a formally tested standard.
A second gap involves mobile phones. The NSA maintains a separate set of telework and mobile security resources that recommend periodic phone restarts, but the current joint advisory focuses on routers and network infrastructure. The FSB campaign described in the FBI’s PSA targets SNMP-enabled networking equipment, not smartphone operating systems. Conflating the two creates a broader impression of the threat than the primary documents support, and it risks confusing users about which devices are implicated by the Russian activity outlined in the alerts.
The most pressing unanswered question is scale. Neither the FBI nor CISA has published fresh telemetry showing how many U.S. households remain exposed to the specific tactics described in the advisory. Without that data, it is impossible to measure whether the guidance is reaching the people most at risk or whether the same vulnerable routers are being re-compromised after each reboot. The emphasis on end-of-life hardware suggests that millions of devices may never receive the patches or configuration changes that would permanently close the documented holes.
For now, the agencies’ strategy appears to be layered risk reduction rather than absolute prevention. Rebooting routers disrupts volatile implants. Disabling legacy SNMP versions and changing default strings blunt the easiest configuration-based attacks. Applying firmware updates and replacing unsupported hardware close off known vulnerabilities such as CVE-2018-0171. None of these steps alone can guarantee safety from a determined state-backed actor, but together they raise the cost of exploitation and limit the time an intruder can remain undetected.
Consumers and small businesses face practical hurdles in following this advice. Many users do not know how to access their router’s management interface, determine whether SNMP is enabled, or check for firmware updates. Others may be reluctant to replace equipment that still appears to work, even if it is no longer supported. The federal guidance implicitly relies on internet service providers, hardware vendors, and managed service firms to translate high-level recommendations into concrete actions, whether through automatic updates, improved defaults, or clearer customer notifications.
What comes next will depend on how aggressively those intermediaries respond. If ISPs and vendors treat the NSA, FBI, and CISA alerts as a mandate to phase out insecure defaults and unsupported devices, the window for FSB exploitation could narrow significantly over the next few years. If they do not, the same combination of weak SNMP configurations, unpatched Cisco flaws, and aging routers is likely to remain a recurring feature of Russian cyber operations-and a recurring reason for U.S. agencies to keep telling people to turn their routers off and back on again.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.