The Chinese state-sponsored hacking group Salt Typhoon (also known as RedMike) is still actively targeting telecommunications providers around the glbe. They have been exploiting unpatched Cisco IOS XE vulnerabilities to breach networks, including US-based providers.
Key Vulnerabilities Used in the Attacks
🔴 CVE-2023-20198 – Privilege escalation vulnerability
🔴 CVE-2023-20273 – Web UI command injection flaw
Apparently, these vulnerabilities have been used in recent attack. These have led to breaches at multiple telecommunications providers, including:
✅ A U.S. ISP
✅ A U.S.-based affiliate of a U.K. telecom provider
✅ A South African telecom provider
✅ An Italian ISP
✅ A major Thailand telecom provider
How the Attacks Work
Threat researchers have noticed that Salt Typhoon compromised and reconfigured Cisco devices where they use Generic Routing Encapsulation (GRE) tunnels to maintain persistence. What has happened so far?
Between December 2024 and January 2025, Salt Typhoon has targeted over 1,000 Cisco network devices. More than half of the devices have been located in:
📍 U.S.
📍 South America
📍 India
Insikt Group also found that over 12,000 Cisco devices remain exposed to the internet. This is crazy! Don't do this! It seems like only 8% of them have been actively targeted. This probably means there is some type of strategic selection process focused on telecom-related infrastructure.
Cisco Devices are always a target
This isn’t the first time Cisco vulnerabilities have been exploited. Two years ago, these same flaws were used in zero-day attacks to compromise more than 50,000 Cisco IOS XE devices. It allowed hackers to deploy backdoor malware using rogue privileged accounts.
A November advisory from Five Eyes listed these vulnerabilities among the top four most exploited in 2023.
U.S. Telecoms & Government Officials Affected
This campaign is part of a broader espionage effort confirmed by the FBI and CISA. In October 2024 these revealed that Salt Typhoon had breached:
- AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream
- Other telecom companies across dozens of countries
- Private communications of U.S. government officials
- U.S. law enforcement’s wiretapping platform
Security Recommendations
🔹 Patch immediately – Apply all security updates for Cisco IOS XE as soon as possible.
🔹 Disable public facing interfaces – Never expose administration interfaces and non-essential services directly to the internet.
🔹 Monitoring – Check for unauthorized GRE tunnel configurations or suspicious activity.
The FCC, CISA, and the White House have issued multiple warnings in response to these breaches, urging telecom providers to harden their networks and switch to encrypted communication platforms for secure messaging.
📌 Are you running Cisco IOS XE devices? Have you noticed unusual activity in your network logs? Share your insights and experiences below.
