Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0225: Analytic 0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.

EnterpriseAN0225AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting attempts to abuse publicly exposed administrative services on network devices such as routers, firewalls, and switches. The business issue is that these devices often sit in critical traffic paths; compromise can affect connectivity, visibility, segmentation, and incident response itself. For leaders, the key question is whether externally reachable management interfaces are known, monitored, and governed tightly enough to produce usable evidence when abnormal management traffic, device errors, configuration changes, or outbound connections occur.

Executive priority

Prioritize this as an operational resilience and control-assurance issue for network infrastructure. Executives and security leaders should ask whether public administrative exposure on network devices is intentional, documented, restricted, and auditable. This analytic can support budget and risk decisions around network device logging, secure management architecture, configuration governance, and incident readiness, especially where routers, firewalls, or switches support critical business operations.

Technical view

The supplied analytic describes a behavioral chain on Network Devices: anomalous HTTP, SNMP, or SmartInstall inputs against public admin services; followed by device syslog errors or restarts; followed by configuration changes or CLI process/activity; followed by egress toward attacker-controlled command-and-control infrastructure. SOC and IR teams should validate whether they can correlate these evidence points across network-device logs, management-plane traffic, configuration-change records, and outbound flow telemetry. No official detection logic or ATT&CK relationships were supplied, so local engineering is required to define thresholds, baselines, and enrichment.

Likely telemetry

  • Network device syslog, including errors, crashes, restarts, authentication events, and management-service messages
  • Management-plane traffic to routers, firewalls, and switches, especially HTTP and SNMP where enabled
  • Configuration change logs, startup/running configuration diffs, and administrative command history where available
  • CLI session records or accounting logs from network devices and management systems
  • Outbound network flow, firewall, proxy, or egress telemetry from network devices to external destinations

Detection direction

  • Validate that public-facing management services on network devices are inventoried and monitored, rather than relying only on endpoint or server telemetry.
  • Correlate unusual management inputs with subsequent device instability, configuration changes, CLI activity, and unexpected outbound connections.
  • Tune detections against approved network management platforms, scanners, monitoring systems, and administrator source ranges to reduce false positives.
  • Review blind spots where network devices do not send reliable syslog, where SNMP/HTTP management traffic is not captured, or where configuration changes are not centrally recorded.
  • Because no official detection text is provided, treat this analytic as a detection strategy to operationalize with local baselines and known-good management behavior.

Mitigation priorities

  • Reduce or eliminate public exposure of administrative services on routers, firewalls, and switches where not explicitly required.
  • Restrict management access to approved administrative networks and trusted sources, with strong authentication and change control.
  • Centralize and retain network-device syslog, configuration-change evidence, and administrative accounting records for investigation and compliance support.
  • Monitor egress from network infrastructure devices and investigate unexpected external destinations.
  • Regularly validate network-device inventory, management-plane exposure, and logging coverage as part of vulnerability management and incident response readiness.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic, AN0225, for enterprise Network Devices. Its value is strongest as a coverage checklist: can the organization observe the described chain from public admin-service interaction through device symptoms, configuration or CLI activity, and outbound communications? No relationship context was supplied, so this take does not map the analytic to specific ATT&CK techniques, threat groups, campaigns, or software.

The official detection field is not provided, tactics are not specified, and no relationships were supplied. The summary therefore avoids claims about active exploitation, attribution, guaranteed detection, or specific products. Actual risk and detection quality depend on local network-device exposure, logging configuration, retention, baselining, and egress visibility.

Official MITRE ATT&CK definition

Analytic 0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3811713fee64b72b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3811713fee64…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0225
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use