Cisco IOS SYNful Knock Implant

critical Nessus Plugin ID 86151


The remote host is infected with an implant that allows an attacker to take full control of the device.


The remote host is infected by the SYNful Knock implant, a persistent backdoor introduced via a malicious IOS firmware image. A remote attacker can exploit the implant, via HTTP packets sent to the device's interface, to gain complete control of the affected device.


Follow your organization's procedures for responding to an infected host.

See Also

Plugin Details

Severity: Critical

ID: 86151

File Name: cisco_synful_knock.nbin

Version: 1.46

Type: remote

Family: Backdoors

Published: 9/25/2015

Updated: 9/25/2023

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.


Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

Vulnerability Information

CPE: cpe:/o:cisco:ios

Vulnerability Publication Date: 9/15/2015