Cisco IOS SYNful Knock Implant

Critical Nessus Plugin ID 86151


The remote host is infected with an implant that allows an attacker to take full control of the device.


The remote host is infected by the SYNful Knock implant, a persistent backdoor introduced via a malicious IOS firmware image. A remote attacker can exploit the implant, via HTTP packets sent to the device's interface, to gain complete control of the affected device.


Follow your organization's procedures for responding to an infected host.

See Also

Plugin Details

Severity: Critical

ID: 86151

File Name: cisco_synful_knock.nbin

Version: 1.11

Type: remote

Family: Backdoors

Published: 2015/09/25

Modified: 2018/10/12

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:cisco:ios

Vulnerability Publication Date: 2015/09/15