Home Blog The FBI Wants You to Reboot Your Router
Security Advisory · April 11, 2026

The FBI Wants You to Reboot Your Router. Here's Why That's Not Enough.

Rebooting your router disrupts active malware — but it won't fix what's already been changed. Here's the full story.

Security Advisory · 7 min read · April 11, 2026 · Patrick Gorden

In April 2026, the NSA and FBI issued a joint advisory telling consumers and small businesses to reboot their routers. If you saw the headline and thought "that seems too simple" — you were right. The reboot matters, but it's step one of a longer checklist, not the whole fix.

Here's what actually triggered the advisory, what rebooting does and doesn't do, and what you should actually do if you want your network to be in good shape.

What the Advisory Was Actually About

The April 2026 advisory was tied to an active campaign by APT28 — also known as Fancy Bear, the Russian GRU-linked threat group responsible for some of the most high-profile hacks of the past decade. The specific technical issue: CVE-2023-50224, a vulnerability in TP-Link routers that attackers were actively exploiting to hijack DNS settings.

DNS hijacking is nastier than it sounds. Your router acts as the DNS resolver for every device on your network. When you type "yourbank.com" into a browser, your router is what translates that into an IP address. If an attacker has changed your DNS settings, they can quietly redirect you to a spoofed login page — one that looks identical to the real site — and harvest your credentials before passing you along to the real destination. You'd never know it happened.

What attackers gain from DNS hijacking
  • Intercept login credentials for banking, email, and cloud services
  • Redirect users to malware download pages disguised as software updates
  • Exfiltrate sensitive data silently over time
  • Maintain persistent access even after the user changes passwords

What "Reboot Your Router" Actually Does

Your router has two types of memory: RAM (volatile, clears on reboot) and flash storage (persistent, survives reboots). Memory-resident malware — code that loads into RAM when the device boots — gets wiped when you power cycle the device. That's the win a reboot gives you.

What it doesn't fix: anything written to flash storage, any configuration changes the attacker made (like that DNS redirect), or firmware-level implants. If an attacker had persistent access and changed your DNS servers to point to their infrastructure, rebooting the router doesn't undo that. The router boots back up with the attacker's DNS settings still in place.

"A reboot clears the infection from memory. It doesn't undo the damage the infection already caused."

This same dynamic applies to the modem side of your setup — and that device is even more overlooked. The attack surface extends beyond your router. I've written separately about how modems get compromised and what zombie modem infections look like — it's worth reading alongside this.

This Has Happened Before

The 2026 advisory isn't the first time nation-states have systematically targeted consumer-grade network hardware. This is a pattern, and it goes back years.

VPNFilter (2018) — Russian GRU actors deployed a modular malware framework to over 500,000 routers across 54 countries. It targeted SOHO (small office/home office) devices from Linksys, MikroTik, Netgear, TP-Link, and others. VPNFilter could survive a reboot (it had a first-stage loader in flash), exfiltrate credentials, monitor industrial control system traffic, and brick the device on command. The FBI seized the command-and-control domain, which disrupted the campaign — but only after the infection was already widespread.

Volt Typhoon (2023–2024) — Chinese state-sponsored actors spent months pre-positioning inside U.S. critical infrastructure by compromising SOHO routers. The goal wasn't immediate theft — it was to establish footholds that could be activated for espionage or sabotage. They specifically targeted end-of-life Cisco and Netgear hardware that no longer received security updates. The technique relied on the fact that nobody was watching these devices.

The common thread: nation-state actors are systematically targeting cheap, unmanaged consumer hardware because it's easy, it's everywhere, and nobody's looking at it. The same concern applies to IoT devices like cameras, smart thermostats, and NAS boxes — which have become the primary recruitment pool for state-sponsored botnets.

Why Consumer Routers Are the Target

It's not complicated: consumer routers are the path of least resistance. They ship with default credentials that most users never change. Firmware updates require manual intervention, so most devices run outdated software for years. Many devices hit end-of-life and stop receiving patches entirely — but they keep running. And there's no visibility: no logs you can actually read, no alerting, no centralized management.

Why consumer routers make easy targets
  • Default admin credentials left unchanged (admin/admin, admin/password)
  • No automatic firmware updates — users must manually check and apply
  • End-of-life hardware still in production use with no patch support
  • Remote management often enabled by default, accessible from the internet
  • No logging or monitoring — breaches go undetected indefinitely

Your Network at a Glance

Understanding where your router sits in the chain matters when you're thinking about what to protect. Here's a basic view:

ISP Internet MODEM ISP signal ROUTER ← attack target WIRED DEVICES computers, NAS WIFI DEVICES phones, tablets Basic network path — ISP signal flows through modem and router to all devices

Everything on your network — every phone, laptop, printer, camera, and smart device — routes through that router. If the router is compromised, so is everything behind it.

What You Should Actually Do

The advisory said reboot. Here's the full checklist:

What to do right now
  • Reboot the router (yes, do it — clears memory-resident malware)
  • Log into the admin panel and check your DNS settings — they should point to your ISP or a known provider like 1.1.1.1 or 8.8.8.8, not something unfamiliar
  • Change the admin password if it's still the default
  • Disable remote management if you don't need it
  • Check the manufacturer's site for firmware updates and apply them
  • Look up whether your device model is still receiving security patches — if it's end-of-life, plan to replace it

For businesses — including churches managing their own networks — the better answer is managed networking with actual visibility. That means hardware that gets automatic firmware updates, centralized monitoring, and configuration you don't have to re-verify every few months.

On the IoT side, make sure your smart devices aren't on the same network as your computers and phones. A compromised thermostat or camera shouldn't be able to reach your laptops. That's a VLAN problem, and it's closely related to the botnet recruitment tactics described in the IoT post — segmentation is the defense.

And don't forget the device upstream of your router. The modem is its own attack surface — rebooting the router doesn't touch it.

"Managed networking isn't just about speed — it's about knowing what's actually running on your equipment."

I've done network rebuilds for a local church that was running consumer gear through a Sunday morning service and remote IT work for a small business in Florida that needed enterprise-level reliability without enterprise complexity. The pattern is always the same: the right hardware, configured correctly, managed consistently.

If your network is running on stock hardware that hasn't been touched in a few years, that needs to change. Not because the FBI said so — because the threat is real and the fix isn't complicated.

Your network deserves better than stock hardware. Let's talk.

WCW installs and manages UniFi networks for small businesses and churches — automatic firmware updates, centralized monitoring, IoT isolation built in. No consumer-grade surprises.

Get in Touch 📅 Book a Free Consultation