GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks

GreyNoise has identified active exploitation attempts targeting two critical Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. While these vulnerabilities are associated with the Chinese state-sponsored threat group Salt Typhoon in recent intelligence reports, GreyNoise explicitly states they are not attributing the current observed exploitation activity to this specific group. The exploitation of CVE-2023-20198 involves over 110 malicious IPs across multiple countries, indicating widespread scanning or attack attempts. CVE-2018-0171 shows limited activity from two IPs. Organizations utilizing Cisco infrastructure should prioritize patching these vulnerabilities immediately to prevent unauthorized access or privilege escalation. Although direct attribution to Salt Typhoon remains unconfirmed for these specific instances, the association suggests potential state-sponsored interest. Security teams should monitor network traffic for signs of exploitation and implement strict access controls to mitigate risks associated with these publicly known vulnerabilities actively being weaponized in the wild.

GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These CVEs were referenced in recent reports on Salt Typhoon, a Chinese state-sponsored threat group, though GreyNoise is not attributing the observed exploitation to Salt Typhoon.

GreyNoise has identified active exploitation attempts targeting two critical Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. While these vulnerabilities are associated with the Chinese state-sponsored threat group Salt Typhoon in recent intelligence reports, GreyNoise explicitly states they are not attributing the current observed exploitation activity to this specific group. The exploitation of CVE-2023-20198 involves over 110 malicious IPs across multiple countries, indicating widespread scanning or attack attempts. CVE-2018-0171 shows limited activity from two IPs. Organizations utilizing Cisco infrastructure should prioritize patching these vulnerabilities immediately to prevent unauthorized access or privilege escalation. Although direct attribution to Salt Typhoon remains unconfirmed for these specific instances, the association suggests potential state-sponsored interest. Security teams should monitor network traffic for signs of exploitation and implement strict access controls to mitigate risks associated with these publicly known vulnerabilities actively being weaponized in the wild. GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These CVEs were referenced in recent reports on Salt Typhoon, a Chinese state-sponsored threat group, though GreyNoise is not attributing the observed exploitation to Salt Typhoon. GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These CVEs were referenced in recent reports on Salt Typhoon, a Chinese state-sponsored threat group, though GreyNoise is not attributing the observed exploitation to Salt Typhoon.