still possible that a nice PDF trojan horse delived to anyone within the internal network could have a loaded package that would go through the whole internal network and exploit the security holes found on CISCO switches
that's how they did it for hacking Iranian nuclear plants through the Iranian ministry foreign office