TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks

2025-02-24 · Read original ↗

ATT&CK techniques detected

3 predictions
T1190Exploit Public-Facing Application
91%
"as cve - 2018 - 0171. between december 2024 and january 2025, salt typhoon reportedly leveraged cve - 2023 - 20198 and cve - 2023 - 20273 to compromise five additional telecom networks, including entities in the united states. greynoise observations greynoise ’ s global observati…"
T1190Exploit Public-Facing Application
87%
"greynoise observes active exploitation of cisco vulnerabilities tied to salt typhoon attacks key takeaways - greynoise has observed active exploitation of cve - 2023 - 20198, with 110 malicious ips actively targeting vulnerable cisco devices, primarily from bulgaria, brazil, and …"
T1588.006Vulnerabilities
42%
"bulgaria, brazil, and singapore. mitigation recommendations - apply all patches immediately. - restrict management interface access. - use greynoise to track real - time exploitation and use greynoise block to block malicious ips. greynoise will continue monitoring for changes in…"

Summary

GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These CVEs were referenced in recent reports on Salt Typhoon, a Chinese state-sponsored threat group, though GreyNoise is not attributing the observed exploitation to Salt Typhoon.