Rescan's cybersecurity analysis team has confirmed that the latest exploit campaign orchestrated by the China-backed threat actor Salt Typhoon (also known as RedMike) is targeting Cisco network devices. The ongoing campaign has a notable focus on telecommunications companies and educational institutions globally, with primary targets in the United States, South Africa, and other strategic nations.

Executive Summary

This report presents a detailed advisory on the recently identified vulnerabilities CVE-2023-20198 and CVE-2023-20273 compromising Cisco network devices. The vulnerabilities enable unauthorized access and privilege escalation, which facilitate full control of affected devices. The threat actor behind the campaign, Salt Typhoon, has been observed targeting telecommunications providers and academic institutions to disrupt operations and exfiltrate sensitive data. This advisory provides in-depth technical details, exploitation evidence, relevant APT group information, detailed lists of affected product versions, and recommended mitigation strategies. We encourage our customers to reach out with any questions at ops at rescana.com.

Technical Information

Our investigation into the vulnerabilities affecting Cisco network devices reveals significant security lapses in the web user interfaces of devices running the vulnerable iterations of IOS XE software. The first vulnerability, CVE-2023-20198, permits an external actor to gain unauthenticated entry through an exposed interface. This flaw arises from insufficient input validation mechanisms in the device’s management interface, allowing specially crafted HTTP requests to trigger improper authentication handling. Once initial access is established, attackers can exploit the secondary vulnerability, CVE-2023-20273, to escalate privileges, significantly reducing the barriers for deeper network penetration. The exploitation chain is executed by first scanning for devices with exposed interfaces and then deploying automated scripts that probe for weak authentication parameters followed by a series of privilege escalation attempts. Detailed network traffic analysis has revealed that the array of scanning tools includes custom-developed scripts, some of which bear coding similarities to popular automated scanners available via open-source channels (see Recorded Future analysis at https://therecord.media/china-salt-typhoon-cisco-devices).

In technical terms, the vulnerability CVE-2023-20198 stems from inadequate sanitation of HTTP parameters which allow the injection of malicious payloads. Such payloads can bypass normal session controls, exposing the device’s administrative functions. Upon successfully breaching through this layer, the attacker leverages CVE-2023-20273 which involves a logic flaw in the privilege management subsystem that enables accumulation of rights beyond normal operational scopes. The combined exploitation thus provides a pathway for attackers to implant persistent backdoors within the device firmware. Our forensic digital lifecycle analysis has shown that even devices well within recommended configuration baselines were manipulated due to these inherent vulnerabilities in the software stack.

The intricate details of the underlying code flaws have been published in several technical briefs by cybersecurity researchers, with one particularly enlightening paper available from Insikt Group at https://therecord.media/china-salt-typhoon-cisco-devices. In this document, the researchers elaborate on the vulnerabilities’ root causes which include the absence of a robust token-based validation mechanism during critical command execution. Moreover, detailed reverse engineering of the affected IOS XE binaries has confirmed that buffer overflow conditions may be triggered resulting in arbitrary code execution. Understanding these technical shortcomings is crucial for administrators maintaining environments where such devices are integral parts of the infrastructure.

Further deep-dive analysis into the exploitation mechanics illustrates that the initial access phase is automated by employing routinely scheduled network scans aimed at identifying signature behaviors of device misconfigurations. Indicators of compromise (IOCs) observed include anomalous web interface requests, unusual traffic patterns from IP addresses known to be linked with threat actor infrastructures, and logs indicating session hijacking attempts typically at non-standard hours. Security operation center teams have tasked their incident response protocols to flag occurrences of HTTP request anomalies resembling exploitation attempts of CVE-2023-20198 and CVE-2023-20273. This level of targeting underscores the high sophistication of Salt Typhoon in mapping vulnerable network perimeters.

The technical exploitation technique adapts to countermeasures as it includes both passive reconnaissance followed by active tampering. The attackers have been reconfiguring compromised devices to facilitate remote command and control (C2) operations. For instance, the alteration of DNS settings and routing configurations within the affected devices has been documented. This manipulation not only ensures persistence but also creates opportunities for intercepting sensitive communications. Research documentation published by Recorded Future and available at https://therecord.media/china-salt-typhoon-cisco-devices highlights several instances where modified devices were used to obtain call data and sensitive information from telecommunications companies.

Further scrutiny of the coding vulnerabilities reveals that the exploits leverage specific poorly implemented authentication routines prevalent in the management interfaces of these devices. Detailed binary patch analysis has been performed by independent researchers that uncovered hard-coded secret keys within the firmware images. These keys facilitate unauthorized access when paired with the vulnerabilities, effectively presenting a backdoor that bypasses multi-factor authentication protocols. Additionally, exploitation segments indicate a high probability of malware implantation post-exploitation, designed to exfiltrate data continuously over covert channels monitoring network traffic.

The comprehensive technical investigation has also identified that the window for exploitation is exacerbated by delayed patch adoption practices in many organizations. Although Cisco released a patch update in October 2023, a significant number of network administrators have not applied these patches due to legacy system dependencies or oversight. The delayed patch level in environments running legacy firmware renders these critical vulnerabilities a persistent risk. Envoys from cybersecurity teams have been advising stakeholders to immediately audit current firmware versions and apply updates to minimize exposure.

Cybersecurity research further outlines that automated scanning tools are registering repeated attempts to access vulnerable endpoints, indicating that the exploitation campaign is not a one-off incident but a sustained series of attacks employing both zero-day and known exploits. The widespread engagement with unpatched devices in diverse and geographically dispersed networks indicates that cybercriminal operations are highly synchronized. In addition, periodic bursts of malicious scanning corresponding with the calendar dates of December and January have been logged. The synchronization of these scans with international events that demand global attention further implies that the threat actors might be attempting to mask their activities amidst a high volume of network noise.

In summary, the technical nuances inherent within CVE-2023-20198 and CVE-2023-20273 demonstrate that while the vulnerabilities were identified and patched in late 2023, the exploitation dynamics have evolved into a multi-faceted threat. The analytical findings underscore the critical necessity for timely patch management, mitigation planning, and constant monitoring of device configurations. Our technical investigation further validates that even advanced mitigation techniques require supplementation by vigilant operational security practices and proactive threat intelligence monitoring.

Exploitation in the Wild

Field data collected in December 2024 and January 2025 reveals that specific exploitation instances involved the targeting of over 1,000 Cisco devices across multiple regions including telecommunications infrastructures and university networks. Our systems have recorded multiple IP addresses engaging in abnormal traffic patterns associated with unauthorized access attempts. In one recorded incident, an attacker achieved initial foothold through CVE-2023-20198 by injecting a malicious HTTP query which bypassed standard authentication protocols. Subsequently, the same attacker escalated privileges using CVE-2023-20273 to modify device configurations to incorporate rogue DNS forwarding, effectively altering network routes to intercept communication data. The identified IOCs include anomalous HTTP request headers, repeated access from IP addresses linked to proxy networks, and configuration changes in DNS and routing tables that were not aligned with scheduled maintenance logs. Such exploitation cases have been documented by Recorded Future and are elaborated in their detailed reports available at https://therecord.media/china-salt-typhoon-cisco-devices.

Additionally, forensics indicate that the attacks leveraged a blend of automated and manual exploitation techniques. Exploit toolkits used by attackers are characterized by its scripted payloads that systematically scan for exposed IOS XE web interfaces, followed by deployment of tailored exploit code. Our research has detected that specific payload signatures match those seen in previous Salt Typhoon campaigns targeting academic and telecommunication sectors. These incidents were meticulously recorded in corporate security logs and shared with global threat intelligence forums, reinforcing the need for immediate patch management and advanced monitoring of external traffic to mitigate covert lateral movement within affected networks.

APT Groups using this vulnerability

The primary actor associated with the exploitation of these vulnerabilities is the Salt Typhoon group, recognized also under the alias RedMike. Evaluations revealed that this APT group specifically leans towards targeting telecommunications providers and higher educational institutions, reflecting a strategic focus on organizations with research capabilities and significant data flow volumes. The group’s modus operandi involves leveraging both reconnaissance tools and advanced exploitation techniques to achieve persistent access and data exfiltration. This particular campaign is indicative of an evolved threat model where state-backed actors coordinate multi-stage attacks aimed at intellectual property and national communication infrastructures, aligning with previous indicators shared by the Insikt Group available at https://therecord.media/china-salt-typhoon-cisco-devices.

Affected Product Versions

The vulnerabilities impact a broad range of Cisco devices operating on IOS XE software that have web interfaces exposed to the internet. Specific affected product versions include routers, switches, wireless controllers, and access points running firmware versions prior to the critical patch updates implemented in October 2023. Organizations that have not updated their devices remain at significant risk, particularly those devices configured with minimal security hardening practices. The list of affected products encompasses legacy models and recently released hardware that have been deployed in extensive environments such as corporate wide-area networks, telecommunications backbones, and campus networking infrastructures. Extensive vulnerability scanning has identified repeated targeting of devices that maintain outdated software, which provides a persistent pathway for exploitation by Salt Typhoon.

Workaround and Mitigation

Administrators are strongly advised to immediately review all Cisco network devices utilized within their environments, emphasize the prompt deployment of the October 2023 patch updates, and verify that all exposed web interfaces are adequately secured. To mitigate risks, it is imperative to disable unnecessary external access to management interfaces and enforce robust multi-factor authentication measures. Security teams should also conduct a thorough audit of firewall rules and ensure that network segmentation is effectively applied to minimize lateral movement post-initial compromise. Anomaly detection should be augmented to capture any deviations in expected HTTP request patterns, especially during off-peak hours. Furthermore, implementing routine vulnerability scans using recognized cybersecurity tools is essential to promptly detect any recurrence or similar exploit attempts. Organizations are encouraged to refer to detailed technical whitepapers and vulnerability remediation guides available from Cisco and independent cybersecurity research sources such as Recorded Future at https://therecord.media/china-salt-typhoon-cisco-devices.

References

Research reports from Recorded Future at https://therecord.media/china-salt-typhoon-cisco-devices provided vital insights on the exploitation techniques of CVE-2023-20198 and CVE-2023-20273. Insikt Group’s detailed technical paper available at https://therecord.media/china-salt-typhoon-cisco-devices comprehensively discusses the underlying vulnerabilities and offers forensic analysis on persistence and lateral movement tactics. Additional references include advisories issued by Cisco and corresponding governmental cybersecurity notices that underscore the threat posed by initiatives like those of Salt Typhoon. These documents collectively serve as an indispensable resource for security professionals seeking to understand the breadth and technical specifics of the ongoing campaign.

Rescana is here for you

At Rescana, we understand that maintaining robust cybersecurity posture amidst evolving threats is a critical challenge. Our Third Party Risk Management (TPRM) platform is designed to help customers monitor, assess, and mitigate risks arising from vulnerabilities impacting essential network infrastructures. Our approach is focused on integrating comprehensive threat intelligence with actionable insights that empower organizations to prioritize and resolve security issues effectively. We remain committed to providing clear, detailed, and technically robust advisory reports that aid in the strategic decision-making process. If you have any questions regarding this report or require further assistance, please do not hesitate to contact us at ops at rescana.com.