LAST UPDATED: 2023-05-12
This report identifies hosts with SNMPv2 publicly accessible, that are responding to the community “public”, and that have the potential to be used in amplification attacks by criminals who wish to perform denial of service attacks.
IMPORTANT: As of 2023-05 it also identifies SNMPv3 hosts as well as Cisco routers vulnerable to CVE-2017-6736 a CVS 8.8 RCE which is known to be abused by APT28 as reported by NCSC UK in “APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers”. See also our blog UK/US Joint Announcements Remind Us That Un-Remediated Vulnerabilities Snowball. If you receive an entry tagged CVE-2017-6736, make sure to apply patches!
The OID being probed for is 188.8.131.52.184.108.40.206.0 (sysDescr) and if the host responds to that probe, the host is then probed for OID 220.127.116.11.18.104.22.168.0 (sysName). The analogous shell commands would be:
snmpget -c public -v 2c [ip] 22.214.171.124.126.96.36.199.0
snmpget -c public -v 2c [ip] 188.8.131.52.184.108.40.206.0
For more details on our results, please visit our SNMP dashboard results.
You can learn more on the report in our Open SNMP Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
For more information on our scanning efforts, check out our Internet scanning summary page.
Filename(s): scan_snmp, scan6_snmp