Table of Contents
- Option 1: Upgrade IOS to a Secure Version
- Option 2: Disable the Smart Install Service
- Option 3: Apply Firewall Whitelist Rules
Option 1: Upgrade IOS to a Secure Version
If the hardware and licensing supports upgrading to a newer IOS version, follow the official “Software Installation and Upgrade Procedures” from Cisco here. Otherwise follow Option 2 for disabling the Smart Install service.
Option 2: Disable the Smart Install Service
It is recommended, that if the Smart Install service is not in use, to completely disable the service by issuing the following command from an elevated Cisco prompt:
no vstack
Option 3: Apply Firewall Whitelist Rules
It is recommended that if the Smart Install service is not in use to apply firewall rules limiting access to the service on port 4876/tcp. The following command from an elevated Cisco prompt will limit all access to that port:
ip access-list extended CFC_DISABLE_ALL_SMI deny tcp any any eq 4786 permit ip any any