Vendor-backdoor alarms

Iranian state media says networking gear from Cisco, Juniper, Fortinet and MikroTik failed during recent strikes, and officials are now treating the outages as possible sabotage. (theregister.com) The reports said routers and switches rebooted or dropped offline around attacks on Isfahan Province even after Iran had largely cut itself off from the global internet. Fars and other Iranian outlets argued that pattern pointed to hidden access in firmware or pre-positioned malware. (theregister.com) A router is the traffic cop of a network: it moves data between offices, data centers and the internet. When the device at the edge fails, phone systems, internal apps, remote links and security tools can all go dark at once. (cisco.com) Iran has not published forensic evidence showing a vendor-built backdoor, and outside reporting says the allegations remain unverified. Some coverage has instead pointed to other possibilities, including implanted malware, malicious packets or exploitation of existing flaws. (techspot.com) That distinction matters because recent cases show major networking brands can be compromised without any manufacturer secretly planting access. In April 2024, Cisco said attackers targeted certain Adaptive Security Appliance and Firepower Threat Defense devices to implant malware and gain persistence, and it told customers to upgrade and verify device integrity. (cisco.com) Juniper faced a similar problem. Mandiant said on March 11, 2025 that it found custom TINYSHELL-based backdoors on Junos OS routers, attributed the activity to the China-linked group UNC3886, and said the affected MX routers were running end-of-life hardware and software. (cloud.google.com) Fortinet products also sit in the same high-risk category of internet-facing edge gear. The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog says organizations should use actively exploited flaws as a priority input for patching and mitigation decisions. (cisa.gov) The practical response is less dramatic than the allegation: check firmware, compare hashes, review logs, scan for implants and move off unsupported hardware. Cisco says customers can use its Support Assistant to verify the integrity of affected ASA or Firepower devices, and Mandiant told Juniper users to upgrade, then run the Juniper Malware Removal Tool quick scan and integrity check. (cisco.com) (cloud.google.com) Iran’s claim lands in a market where trust in network appliances already runs thin. Even without proof of a vendor backdoor, the episode is pushing the same conclusion security agencies and vendors have repeated for two years: treat core routers and firewalls as systems that need constant integrity checks, not set-and-forget boxes. (cisa.gov)