Cisco issued a security alert this week to warn customers that it's seen cases in which attackers are hijacking its networking devices using malicious firmware.
The number of attacks is limited, but the cases involve intruders replacing the Cisco IOS ROMMON with a malicious image to gain administrative or physical access to a Cisco IOS device. ROMMON, or ROM Monitor, is a program used to boot the Cisco IOS operating system on its switches and routers.
According to the Cisco security bulletin, attackers accessed the IOS devices using valid administrative credentials and then installed a malicious ROMMON by using the ROMMON field upgrade process.
"Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot," Cisco said.
The attacks don't involve a product vulnerability -- the ability to install a ROMMON image on IOS devices is a standard management feature, the company said. Plus, the attacks require valid administrative credentials or physical access to the device, according to Cisco.