Key Takeaways

  • GreyNoise has observed active exploitation of CVE-2023-20198, with 110 malicious IPs actively targeting vulnerable Cisco devices, primarily from Bulgaria, Brazil, and Singapore. 

  • Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the United States — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273. 
  • CVE-2018-0171 was disclosed seven years ago, yet remains in use by advanced attackers. 
  • Unpatched Cisco systems are being actively targeted. Organizations should take immediate action. 

BLOCK MALICIOUS IPs (CVE-2018-0171) BLOCK MALICIOUS IPs (CVE-2023-20198)

Background

Recent analyses have highlighted that Salt Typhoon, a Chinese state-sponsored cyber espionage group, has been actively targeting Cisco devices. The group employs various tactics, including the use of legitimate login credentials and, in some instances, exploiting known vulnerabilities such as CVE-2018-0171.

Between December 2024 and January 2025, Salt Typhoon reportedly leveraged CVE-2023-20198 and CVE-2023-20273 to compromise five additional telecom networks, including entities in the United States. 

GreyNoise Observations

GreyNoise’s global observation grid (GOG) has detected malicious exploitation attempts against two Cisco vulnerabilities linked to these attacks: 

CVE-2018-0171 (IOS and IOS XE Smart Install Remote Code Execution) 

  • Observed: Two malicious IPs exploited this vulnerability in December 2024 and January 2025.
  • These IPs were traced to Switzerland and the United States.
  • Cisco Talos reported Salt Typhoon likely used this CVE in real-world attacks. 

VIEW LIVE EXPLOITATION ACTIVITY (CVE-2018-0171)

CVE-2023-20198 (IOS XE Web UI Privilege Escalation)

  • Observed: GreyNoise has confirmed 110 malicious IPs actively exploiting CVE-2023-20198 in real time, reinforcing the scale of ongoing attacks. 
  • These IPs were primarily traced to Bulgaria, Brazil, and Singapore. 

VIEW LIVE EXPLOITATION ACTIVITY (CVE-2023-20198)

Mitigation Recommendations

  1. Apply all patches immediately. 
  2. Restrict management interface access. 
  3. Use GreyNoise to track real-time exploitation and block malicious IPs. 

GreyNoise will continue monitoring for changes in exploitation patterns and provide updates as new intelligence emerges. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence. 

BLOCK MALICIOUS IPs (CVE-2018-0171) BLOCK MALICIOUS IPs (CVE-2023-20198)

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account