In a blog post, Talos said the Cisco Smart Install Client was a legacy utility that could be used for no-touch installation of new Cisco switches.
But the protocol used by this tool could be abused to modify the settings of the TFTP server, exfiltrate configuration files, and change settings to facilitate the execution of IOS commands.
IOS is a package of routing, switching, inter-networking and telecommunications functions integrated into a multi-tasking operating system.
Talos said it had found about 168,000 switches online that were potential targets of these attacks. An increase in scans looking for Cisco Smart Install Client had been noticed since 9 November last year.
It advised those using the Cisco Smart Install Client to remove it from all devices where it was not in use.