Unpatched Cisco Devices Under Attack by Salt Typhoon

A Chinese cyber-espionage group, identified as Salt Typhoon, continues its aggressive campaign against telecommunications networks and universities worldwide, particularly in the U.S., South America, and India. Despite public scrutiny and U.S. sanctions, the group persists in exploiting unpatched Cisco devices, allowing them to gain privileged access and establish covert control over critical infrastructure.

Threat intelligence firm Recorded Future has reported continuous waves of scanning and exploitation attempts targeting two known vulnerabilities in Cisco IOS XE devices. Hackers are using these flaws to add privileged user accounts and configure virtual tunnels, enabling remote access and persistent control over affected systems.

Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is believed to have full access to at least nine major U.S. telecom networks, along with others in dozens of countries. In December 2024, AT&T and Verizon confirmed ejecting the hackers from their networks, but reports suggest other telecom providers remain compromised.

Salt Typhoon has been linked to intercepting voice communications in real-time, particularly government officials and political campaign leaders. The group reportedly targeted 2024 U.S. presidential candidates and exploited court-authorized wiretap backdoors, potentially spying on FBI counter-surveillance efforts. Additionally, large-scale metadata collection has focused on Washington, D.C., raising national security concerns.

Beyond telecom networks, hackers have also targeted university research institutions in the U.S., Netherlands, Argentina, Bangladesh, Indonesia, Mexico, Thailand, and Vietnam, including UCLA and Delft University of Technology. Analysts suggest the objective is to steal research related to telecommunications, engineering, and emerging technologies.

A new report from Insikt Group, Recorded Future’s threat research division, details six separate days of scanning and exploitation activity between December 4, 2024, and January 23, 2025. During this period, over 12,000 Cisco devices were exposed, with 1,000 specifically targeted—primarily telecoms and universities.

Salt Typhoon uses generic routing encapsulation (GRE) tunnels to bypass firewalls and intrusion detection systems, maintaining stealthy data exfiltration. GRE tunnels allow attackers to encapsulate stolen data within network traffic, evading traditional cybersecurity defenses.

Salt Typhoon continues to target two major Cisco vulnerabilities, both patched in October 2023:

CVE-2023-20198 – A zero-day flaw in the web management interface of Cisco IOS XE software, allowing attackers to create unauthorized user accounts.

CVE-2023-20273 – A secondary vulnerability, enabling root-user privileges on compromised devices.

Cisco acknowledged the ongoing exploitation of these vulnerabilities and urged users to immediately apply available patches while restricting public-facing administration interfaces.

Recorded Future warns that Salt Typhoon’s infrastructure is being used as a stepping stone for additional attacks. In December 2024, the group reportedly targeted Myanmar-based telecom Mytel, possibly breaching its corporate email servers.

Despite public warnings and sanctions, Salt Typhoon remains highly active and adaptive, posing a serious cybersecurity threat to global telecoms, universities, and government agencies.