100+ Malicious IPs Actively Exploiting Vulnerabilities in Cisco Devices

A malicious campaign targeting Cisco networking equipment through two critical vulnerabilities, with state-backed actors and other actors exploiting unpatched systems. GreyNoise Intelligence has identified 110 malicious IPs actively exploiting CVE-2023-20198, a privilege escalation flaw in Cisco IOS XE devices. There has also been renewed abuse of the seven-year-old CVE-2018-0171 vulnerability linked to high-profile telecom breaches. […] The post 100+ Malicious IPs Actively Exploiting Vulnerabilities in Cisco Devices appeared first on Cyber Security News.

Feb 25, 2025 - 13:00

100+ Malicious IPs Actively Exploiting Vulnerabilities in Cisco Devices

A malicious campaign targeting Cisco networking equipment through two critical vulnerabilities, with state-backed actors and other actors exploiting unpatched systems.

GreyNoise Intelligence has identified 110 malicious IPs actively exploiting CVE-2023-20198, a privilege escalation flaw in Cisco IOS XE devices. There has also been renewed abuse of the seven-year-old CVE-2018-0171 vulnerability linked to high-profile telecom breaches.

CVE-2023-20198: Actively exploited by 110 IPs originating from Bulgaria (38%), Brazil (27%), and Singapore (19%), with attack volumes tripling since October 2024, GreyNoise observed.
CVE-2018-0171: Two IPs from Switzerland and the U.S. targeted this legacy Smart Install flaw from December 2024 to January 2025, coinciding with Salt Typhoon’s telecom attacks.
State-Aligned Activity: Chinese group Salt Typhoon leveraged both vulnerabilities to breach five telecom networks, maintaining access for over three years in one instance.

Salt Typhoon’s Attack Campaign

The Chinese state-sponsored group Salt Typhoon (aka RedMike) has systematically targeted global telecom providers since 2021, blending credential theft with vulnerability exploitation. Recent incidents confirm their use of:

CVE-2023-20198: A privilege escalation flaw (CVSS 10.0) allowing full device control via Cisco’s web UI.
CVE-2023-20273: A command injection vulnerability (CVSS 7.2) enabling root-level persistence.
CVE-2018-0171: A patched Smart Install RCE flaw is still present in legacy systems.

Between December 2024 and January 2025, Salt Typhoon exploited these CVEs to compromise a U.S. ISP, a U.K. telecom affiliate, and providers in South Africa and Thailand.

Cisco Talos confirmed the group’s use of valid credentials and network protocol analysis to capture SNMP/TACACS secrets, facilitating lateral movement across multinational infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for addressing the Cisco IOS XE Web UI vulnerabilities, noting that CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco’s IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled.

To mitigate these threats, organizations are advised to take immediate action:

Apply all patches immediately.
Restrict management interface access.
Use strong authentication mechanisms to control access to the management interface.
Implement network segmentation to ensure affected devices are isolated from sensitive parts of the network.
Disable Cisco’s Smart Install service using “no vstack”.
Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here

The post 100+ Malicious IPs Actively Exploiting Vulnerabilities in Cisco Devices appeared first on Cyber Security News.