TLP: Clear
The FCC’s notice on banning foreign-made routers fails to account for threat actors’ primary attack vector: firmware vulnerabilities and credential abuse that persist regardless of device origin. Salt Typhoon targeted Cisco, a California-based company, with a privilege escalation vulnerability on its IOS XE routers— an attack where patching cadence matters more than device origin. Rather than focusing on routers made in America, organizations should prioritize selecting devices with active disclosure programs and transparency when reporting security vulnerabilities and patches.
FCC identified Volt, Flax, and Salt Typhoon as cyberattacks targeting critical infrastructure. All three attacks were due to firmware vulnerabilities and credential abuse, not manufacturing geography.
Volt Typhoon performed attacks on Fortinet VPNs and SOHO routers — which include devices from US based vendors through zero-day exploits, and default credentials. Once compromised, threat actors escalated privileges and moved laterally into critical infrastructure.
Flax Typhoon — a group linked to the Chinese tech contractor Integrity Technology Group, used known vulnerabilities to exploit VPN software and Remote Desktop connections. Once infected, the device joins a botnet using a Mirai variant to perform DDOS attacks and espionage.
Salt Typhoon targeted US telecommunication systems using known vulnerabilities such as CVE-2023-20198 and CVE-2023-20273 in Cisco and Fortinet devices, with CISA identifying Juniper firewalls as suspected targets among others. Once infected, threat-actors modified firewall rules and opened ports so that they could maintain persistence.
The FCC’s claim that routers manufactured outside the United States pose a security risk raises possibilities that its document alone cannot answer.
The FCC is acting on classified information. In 2020, the FCC confirmed that it reviewed classified information to ban Huawei and ZTE products. Although it is plausible — the classified nature of the ban prevents security analysts from validating their claims.
The FCC is acting on policy rather than technical analysis. Policy moves stock markets - The DJI ban in 2025 directly affected the stocks of US based drone companies. Increased stock prices may be beneficial to the economy, but it does not address the alleged security concerns in routers.
Foreign manufacturers are a legitimate risk. Hardware backdoors are real and documented. Edward Snowden released documents from 2010 that revealed that the NSA implanted surveillance devices into Cisco routers — an attack that could easily happen with products destined to the United States. There have been no publicly released reports on foreign actors modifying hardware or firmware during the manufacturing process.
Many cyberattacks are opportunistic — threat actors exploit the path of least resistance rather than targeting specific manufacturers, and while they can have devastating effects, organizations can take steps to reduce their impact. Maintaining vendor support and patching are two of the biggest factors in protecting infrastructure. The cyber attacks cited in the FCC document involve firmware-related threats in existing products — not the result of foreign interference.
While foreign governments can modify hardware during production, it is more likely that threat actors will exploit existing software vulnerabilities. Organizations should monitor vendor-related threat feeds and focus on maintaining vendor support and patching.
Sources
Government & Regulatory
FCC National Security Determination — Routers (March 2026): https://docs.fcc.gov/public/attachments/DA-26-278A1.pdf
CISA Advisory AA24-038A — Volt Typhoon (February 2024): https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
CISA Advisory AA25-239A — Salt Typhoon (September 2025): https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
CISA Advisory AA24-257A — Flax Typhoon (September 2024): https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-257a
US Treasury — Integrity Technology Group Sanctions (January 2025): https://home.treasury.gov/news/press-releases/jy2769
Federal Register — FCC Huawei/ZTE Classified Review (January 2020): https://www.federalregister.gov/documents/2020/01/03/2019-27610
NIST IR 8425A — Consumer Router Security Requirements (September 2024): https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf
Threat Intelligence
8. Recorded Future — RedMike/Salt Typhoon Cisco Campaign (February 2025): https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices
9. Microsoft — Volt Typhoon LOTL Techniques (May 2023): https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques
10. Palo Alto Unit 42 — Volt Typhoon Threat Brief (2024): https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief
11. NJCCIC — Salt Typhoon Profile: https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/china-linked-cyber-operations-targeting-us-critical-infrastructure/salt-typhoon
12. NJCCIC — Volt Typhoon Profile: https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/china-linked-cyber-operations-targeting-us-critical-infrastructure/volt-typhoon
13. CyberScoop — Cisco Talos Salt Typhoon Analysis (February 2025): https://cyberscoop.com/cisco-talos-salt-typhoon-initial-access
Vendor Vulnerabilities
14. NVD — CVE-2021-40847 Netgear RCE: https://nvd.nist.gov/vuln/detail/CVE-2021-40847
15. NVD — CVE-2023-20198 Cisco IOS XE: https://nvd.nist.gov/vuln/detail/CVE-2023-20198
16. Cybellum — CVE-2022-38132 Linksys MR8300 (2022): https://cybellum.com/blog/how-we-found-cve-2022-38132-linksys-mr8300-zero-day
17. Eclypsium — Netgear Firmware Vulnerabilities (2025): https://eclypsium.com/blog/vulnerabilities-in-netgear-firmware-based-iot-devices-in-the-enterprise
18. Netgear Security Advisory — December 2025: https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory
Manufacturing & Market
19. Consumer Reports — Foreign Router Ban (March 2026): https://www.consumerreports.org/electronics-computers/wireless-routers/foreign-made-routers-fcc-ban-a1057564057
20. DroneXL — FCC Router Ban Same Playbook as DJI (March 2026): https://dronexl.co/2026/03/23/fcc-bans-foreign-routers-citing-security-risks-dji
21. PetaPixel — DJI Ban and Market Impact (December 2025): https://petapixel.com/2025/12/23/us-government-bans-new-dji-and-other-foreign-made-drones
22. The Drone Girl — US Drone Stock Market 2025: https://www.thedronegirl.com/2025/11/25/drone-stocks-in-2025
NSA Supply Chain Interdiction
23. Engadget — NSA Bugged Cisco Routers (May 2014): https://www.engadget.com/2014-05-16-nsa-bugged-cisco-routers.html
24. Lawfare — Supply Chain Attacks (2023): https://www.lawfaremedia.org/article/supply-chain-attacks-why-us-should-worry
25. Computerworld — Cisco Ships to Fake Addresses (March 2015): https://www.computerworld.com/article/1633983/to-avoid-nsa-cisco-delivers-gear-to-strange-addresses.html