New Wave of Hacking Attacks on Cisco Devices: Over 100 Malicious IPs Identified

One of today’s most pressing cybersecurity issues is the large-scale attacks targeting Cisco networking equipment. According to recent reports, hundreds of devices are at risk due to the active exploitation of vulnerabilities CVE-2023-20198 and CVE-2018-0171.

Security experts have identified 110 malicious IP addresses involved in exploiting these vulnerabilities. What is particularly alarming is that state-sponsored hacker groups are actively leveraging these flaws.

1. CVE-2023-20198: A Critical Vulnerability in Cisco IOS XE

This vulnerability allows privilege escalation, enabling attackers to gain full control over Cisco devices via the web interface.

The geographical distribution of the malicious IPs exploiting CVE-2023-20198:

🔴 Bulgaria – 38%
🔴 Brazil – 27%
🔴 Singapore – 19%

Since October 2024, the number of attacks has tripled.

2. CVE-2018-0171: Smart Install Exploitation

Although this vulnerability was discovered seven years ago, it remains present in outdated Cisco devices.

In recent years, major telecom data breaches have been linked to this flaw, and a new wave of attacks has been observed.

🔹 Two malicious IPs (from Switzerland and the U.S.) have exploited this flaw between December 2024 and January 2025.

According to investigations, the Chinese state-sponsored hacking group Salt Typhoon (also known as RedMike) has been systematically targeting global telecom providers since 2021.

🔹 Their primary method involves a combination of credential theft and vulnerability exploitation.

Exploited Vulnerabilities:

✔ CVE-2023-20198 – Full control over devices via Cisco’s web interface.
✔ CVE-2023-20273 – Command injection allowing privileged remote execution.
✔ CVE-2018-0171 – Exploitation of the outdated Smart Install feature.

Main Targets of the Attacks:

📌 An ISP in the U.S.
📌 A telecom company affiliate in the U.K.
📌 Providers in South Africa and Thailand

Security researchers at Cisco Talos have confirmed that Salt Typhoon uses network protocol analysis to steal authentication credentials (e.g., SNMP/TACACS), facilitating lateral movement within company networks.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued official guidelines for mitigating Cisco IOS XE vulnerabilities.

The CVE-2023-20198 flaw affects all Cisco devices with the HTTP or HTTPS Server feature enabled.

🔴 MITIGATION MEASURES:

✅ Apply all updates immediately – Ensure Cisco security patches are installed without delay.

✅ Restrict access to management interfaces – Block direct internet access to Cisco devices.

✅ Use strong authentication mechanisms – Enable two-factor authentication (2FA) for device management.

✅ Implement network segmentation – Isolate Cisco devices from critical systems to limit attack impact.

✅ Disable Cisco Smart Install by executing:

✅ Disable Telnet and enforce SSH instead. Apply the following settings for VTY lines:

✅ Disable the Guestshell service if not needed by running:

Hacking attacks on Cisco devices have escalated into a global security threat. State-sponsored hacker groups are actively exploiting these vulnerabilities, posing severe risks to telecom and IT infrastructures.

If you use Cisco networking devices, it is crucial to immediately strengthen security and apply all necessary updates.

📌 Remember: Failure to implement proper security measures in time can have catastrophic consequences!