Press release

Red Balloon Security Discovers Critical Vulnerability in Millions of Cisco Switches, Routers, and Firewalls

Sponsored by Businesswire

Red Balloon Security, a leading embedded device security firm, has
discovered a high-risk vulnerability in Cisco’s secure boot process
which impacts a wide range of Cisco products in use among enterprise and
government networks, including routers, switches and firewalls.

The vulnerability, codenamed “Thrangrycat,” is caused by a series of
hardware design flaws within Cisco’s Trust Anchor module. First
commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a
proprietary hardware security module that is used in a wide range of
Cisco products, including enterprise routers, switches and firewalls.
TAm is the root of trust that underpins all other Cisco security and
trustworthy computing mechanisms in these devices. The Thrangrycat
vulnerability allows an attacker to make persistent modification to the
Trust Anchor module via remote exploitation, thereby defeating the
secure boot process and invalidating Cisco’s chain of trust at its root.
While the flaws are based in hardware, Thrangrycat can be exploited
remotely without any need for physical access. Since the Thrangrycat
flaws reside within the hardware design, it is unlikely that any
software security patch will fully resolve the fundamental security

“This is a significant security weakness which potentially exposes a
large number of corporate, government and even military networks to
remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red
Balloon Security. “We’re talking about tens of millions of devices
potentially affected by this vulnerability, many of them located inside
of sensitive networks. These Cisco products form the backbone of secure
communications for these organizations, and yet we can exploit them to
permanently own their networks. Fixing this problem isn’t easy, because
to truly remediate it requires a physical replacement of the chip at the
heart of the Trust Anchor system. A firmware patch will help to offset
the risks, but it won’t completely eliminate them. This is the real
danger, and it will be difficult for companies, financial institutions
and government agencies to properly address this problem.”

Thrangrycat is remotely exploitable and provides attackers with a
reliable backdoor into highly secure networks, allowing them to bypass
even rigorous cybersecurity defenses in order to gain full and
persistent access inside the network. An attacker could remotely exploit
this vulnerability to intercept communications, steal or manipulate
data, install stealthy implants and carry out further attacks on other
connected devices. Red Balloon Security researchers have demonstrated
physical destruction of Cisco routers by leveraging Thrangrycat via
remote exploitation.

Red Balloon Security has been working closely with Cisco’s Product
Security Incident Response Team (PSIRT) to address this vulnerability,
and commends PSIRT for its fast and diligent response.

For more technical details about Thrangrycat, visit

About Red Balloon Security

Founded in 2011, Red Balloon Security (
is a leading cybersecurity provider and research firm that specializes
in the protection of all embedded devices regardless of industry. The
New York City-based company secures embedded systems with a suite of
host-based firmware security solutions that continuously monitor
critical elements of firmware and report indications of attempted
intrusions throughout runtime.