Cookie Consent by Free Privacy Policy Generator

NCSC warns of Russian exploitation of poorly configured routers in critical infrastructure

The National Cyber Security Centre has issued a joint advisory with international partners warning that Russian state-sponsored cyber actors are actively exploiting poorly configured routers and edge network devices to gain access to critical infrastructure networks. The advisory, published on 13 July 2026, highlights that threat actors are targeting routers, firewalls and other edge devices across energy, water, healthcare and transport sectors, using default credentials, unpatched vulnerabilities and weak configurations to establish persistent access for intelligence gathering and potential operational disruption.

Why this matters for UK organisations

Network edge devices such as routers and firewalls are often deployed and then left largely unmanaged, with default credentials unchanged, firmware updates delayed or overlooked, and logging either disabled or not monitored. When these devices are compromised, attackers gain a foothold that is difficult to detect and can persist for months or years, providing ongoing access to internal networks, operational technology environments and sensitive data. For organisations operating critical infrastructure or managing operational technology, this advisory reinforces that edge devices are high-value targets requiring active management and should be treated with the same rigour as servers and endpoints. The NCSC advisory also highlights that these compromises are being used not just for espionage but as potential pre-positioning for future disruptive activity, which raises the stakes for organisations in sectors identified as critical national infrastructure.

What to review

Organisations should review the security posture of all network edge devices, starting with internet-facing routers, firewalls and VPN concentrators. Check whether default credentials have been changed, whether firmware is current and whether there is a defined process for monitoring vendor security advisories and applying updates. Ensure that logging is enabled on these devices and that logs are being collected, retained and monitored for signs of unusual activity. Review whether these devices are included in regular vulnerability scanning and penetration testing, and whether there is clear ownership for their ongoing management. For organisations in critical infrastructure sectors, consider whether network segmentation is in place to limit the impact of a compromised edge device, and whether there are detection capabilities that would identify lateral movement or unusual traffic patterns originating from these devices.

Source: NCSC UK

News and blog posts
SonicWall has issued an urgent security advisory warning that two zero-day...
The US Cybersecurity and Infrastructure Security Agency has added four...
Today's brief focuses on the operational realities of managing vulnerabilities...
The National Cyber Security Centre has issued a joint advisory with...