Malicious actors capitalizing on vulnerabilities in Cisco systems, connected to Salt Typhoon operation
In a series of recent cyberattacks, the Chinese nation-state threat group Salt Typhoon has been exploiting vulnerabilities in Cisco devices, according to multiple cybersecurity research firms.
The most recent attacks have targeted CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software, and CVE-2023-20198, a critical privilege escalation vulnerability affecting Cisco IOS XE Web UI. Exploitation of these vulnerabilities occurred between December 2024 and January of this year, and again in December and January 2025.
Cisco Talos researchers observed a recent attack where Salt Typhoon exploited CVE-2018-0171, but found no other evidence of Cisco vulnerabilities being used by the group. However, GreyNoise has observed recent exploitation of CVE-2023-20198 against unpatched Cisco devices.
The malicious IPs originating from Switzerland and the United States were involved in the exploitation of CVE-2018-0171 in December 2024 and January 2025. Recorded Future's Insikt Group observed Salt Typhoon attacks between December and January where threat actors exploited CVE-2023-20198 against unpatched Cisco devices.
Salt Typhoon's campaign against telecom organizations continued in December and January, compromising five more telecom providers, including two based in the U.S. The group has been responsible for several high-profile breaches of U.S. telecom companies, including AT&T, Verizon, and Lumen Technologies, which first came to light last fall.
In those attacks, Salt Typhoon accessed private communications for high-value individuals and obtained data related to law enforcement requests. The compromises were achieved by exploiting CVE-2023-20198 and CVE-2023-20273 to gain initial access.
It's unclear what threat actors are behind the observed threat activity of CVE-2023-20198, as GreyNoise did not specify whether multiple threat actors could be responsible or have enough evidence to identify how many were involved.
GreyNoise did not attribute the exploitation of CVE-2023-20198 to Salt Typhoon or any specific threat actors. However, it is known that Salt Typhoon is a threat actor believed to be connected to the People's Republic of China and has been active since 2019. They have been involved in several high-profile breaches, including the exploitation of these Cisco vulnerabilities to target telecommunications companies as part of a broader cyberespionage campaign.
Cisco IOS and IOS XE software users are advised to apply the necessary patches to protect their devices from these vulnerabilities. For more information on the vulnerabilities and their patches, visit the Cisco Security Advisories website.
- The Chinese threat group Salt Typhoon has been using malware to exploit vulnerabilities in Cisco devices, as revealed by multiple cybersecurity research firms.
- One of the vulnerabilities targeted in these attacks is CVE-2023-20198, a critical privilege escalation vulnerability in Cisco IOS XE Web UI, which was exploited by Salt Typhoon and observed by GreyNoise.
- Political implications of the attacks have arisen due to Salt Typhoon's role in compromising U.S. telecom companies, including AT&T, Verizon, and Lumen Technologies, according to Recorded Future's Insikt Group.
- The exploitation of these vulnerabilities in Cisco devices highlights the importance of cybersecurity technology and threat intelligence in detecting and protecting against malicious cyberattacks.
