Cisco Publishes Known Exploitation Advisory - 20250224001¶
Overview¶
Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies. No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, Cisco have not identified any evidence to confirm these claims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.
What is vulnerable?¶
| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
|---|---|---|---|---|
| Cisco IOS and IOS XE Software Smart Install | - Cisco IOS or IOS XE Software and have the Smart Install client feature enabled - see Smart Install Configuration Guide - Supported Devices | CVE-2018-0171 | 9.8 | Critical |
| Cisco IOS XE Software Web UI Feature | - 17.9 - 17.6 - 17.3 - 16.12 (Catalyst 3650 and 3850 only) |
CVE-2023-20198 CVE-2023-20273 |
10.0 7.2 |
Critical High |
| Cisco NX-OS Software CLI | - Nexus 3000 Series Switches - Nexus 7000 Series Switches that are running Cisco NX-OS Software releases 8.1(1) and later - Nexus 9000 Series Switches in standalone NX-OS mode |
CVE-2024-20399 | 6.7 | Medium |
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):
- Cisco Talos: Weathering the storm: In the midst of a Typhoon https://blog.talosintelligence.com/salt-typhoon-analysis/