PRC (People's Republic of China) state-sponsored cyber actors tracked as Salt Typhoon — also known as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor — have compromised more than 200 organizations across 80+ countries in a systematic campaign targeting telecommunications backbone infrastructure. A joint advisory published August 27, 2025 by CISA, NSA, FBI, and international partners under advisory AA25-239A documents how these actors exploit known, unpatched vulnerabilities — including CVE-2023-20198, a Cisco IOS XE authentication bypass rated CVSS v3 10.0 (Critical — the highest possible score, meaning remotely exploitable with no credentials and no user interaction required) — to establish persistent footholds inside global telecom networks. At least nine U.S. telecommunications providers have been confirmed compromised.
Salt Typhoon Campaign: Technical Details
The advisory's most striking finding is that Salt Typhoon achieves its scale without deploying novel zero-day vulnerabilities. There is no evidence of new undisclosed flaws being used. Instead, the actors succeed consistently by targeting devices that organizations have not patched — sometimes years after fixes were made available.
CVE-2023-20198 — Cisco IOS XE privilege escalation. CVE-2023-20198 (CVSS v3 score 10.0 — Critical) affects Cisco IOS XE, the operating system running on Cisco enterprise and service-provider routers and switches. The vulnerability allows an unauthenticated remote attacker to create a high-privilege account on the affected device. Salt Typhoon exploited this to extract running configuration files from network devices — files containing routing rules, access credentials, network topology maps, and ACL (Access Control List) configurations. Cisco disclosed the vulnerability in October 2023; organizations with unpatched devices remained exposed for months or years afterward.
The advisory also documents exploitation of a Cisco vulnerability patched in 2018 — a seven-year-old flaw present in organizations that had not applied an available fix for years.
Persistence via ACL modification. After establishing access, the actors modify the device's ACLs (Access Control Lists — rule sets governing which traffic and administrative connections a router permits) to add their own IP addresses to the allow list. This creates a persistent backdoor: even if credentials are reset or changed, the router continues accepting administrative connections from actor-controlled IPs because the ACL explicitly permits them. Detecting this persistence mechanism requires reviewing router configurations directly, not just monitoring authentication logs.
Traffic interception via GRE tunnels. The actors configure GRE (Generic Routing Encapsulation) tunnels — a protocol that wraps one type of network traffic inside another to create covert channels — on compromised devices to siphon network traffic from the provider's infrastructure. Unencrypted communication transiting a compromised backbone router is effectively readable by the attacker.
Additional tooling. On Windows systems within target environments, the actors deploy Demodex, a Windows kernel-mode rootkit (a type of malware operating at the lowest level of the operating system, below most security products, making it extremely difficult to detect or remove). For exfiltration, they use a custom SFTP (Secure File Transfer Protocol) client written in Go (the Golang programming language) that encrypts and transfers stolen data archives. Salt Typhoon also uses web shells (malicious scripts uploaded to web-accessible servers that provide persistent remote command execution) and living-off-the-land (LOTL) techniques — repurposing legitimate system tools like PowerShell or WMI to carry out attacker tasks while blending in with normal system activity.
Exploitation Status and Threat Landscape
Salt Typhoon's campaign is ongoing and global. The advisory attributes the activity to three PRC-linked entities: Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These organizations, the advisory states, provide cyber-related products and services to China's intelligence services.
Confirmed scope as of the advisory's publication: 200+ organizations, 80+ countries, at least 9 U.S. telecommunications providers. The U.S. Senate Commerce Committee noted in December 2025 that American communications networks remain vulnerable. The campaign has also been attributed to the compromise of systems used by U.S. law enforcement for court-authorized wiretaps — a particularly sensitive category of access.
CVE-2023-20198 is listed on CISA's Known Exploited Vulnerabilities (KEV) catalog — a list maintained by CISA (the U.S. Cybersecurity and Infrastructure Security Agency) that confirms active exploitation of specific vulnerabilities in the wild. Inclusion in the KEV catalog triggers mandatory patching deadlines for U.S. federal agencies under Binding Operational Directive 22-01.
Who Is Affected
The advisory's primary target sectors are:
- Telecommunications backbone providers — ISPs, national carriers, international transit providers operating PE (provider edge) and CE (customer edge) routers
- Government and military communications networks
- Transportation infrastructure with dedicated carrier-grade networks
- Lodging and hospitality networks — the advisory explicitly names this sector, likely because hotels hosting government travelers represent intelligence collection opportunities
Organizations that do not operate their own router infrastructure are not automatically safe. Salt Typhoon has leveraged compromised telecom providers as a pivot point to reach customer networks through trusted connections. Any organization whose internet traffic transits a compromised carrier may have had communication intercepted in transit.
What You Should Do Right Now
- Patch CVE-2023-20198 on all Cisco IOS XE devices immediately. Check the CISA KEV catalog for all required patches across your network infrastructure. Any device no longer receiving vendor support should be replaced — running end-of-life hardware in this threat environment is indefensible.
- Audit router ACLs for unauthorized entries. Review Access Control Lists on all network devices for IP addresses or ranges not explicitly authorized by your network engineering team. Unauthorized ACL entries granting management access are the most reliably documented persistence mechanism in this campaign:
“bash show running-config | include access-list show ip access-lists “
- Scan for unexpected GRE tunnel interfaces. Any GRE tunnel not explicitly deployed by your team should be treated as a potential indicator of Salt Typhoon persistence:
“bash show interfaces tunnel show running-config | section interface Tunnel “
- Restrict router management plane access. Move all management interfaces (SSH, SNMP, HTTPS management) to a dedicated out-of-band management network or VLAN with explicit ACL allow-lists. Management protocols should never traverse production traffic paths.
- Enable configuration change alerting. ACL modifications and tunnel creation on routers should generate immediate alerts to your security operations center. Salt Typhoon's persistence relies entirely on configuration changes going unnoticed in environments lacking adequate monitoring.
- Encrypt sensitive traffic end-to-end. If your organization connects to a major telecom provider that may be compromised, treat the network path as untrusted. Enforce TLS 1.3 minimum for all sensitive communication; do not rely on network-layer confidentiality for data in transit.
Background: Understanding the Risk
Salt Typhoon is one of several PRC threat actor clusters that have come to prominence over the past three years. Its campaign overlaps in target scope with Volt Typhoon (which focuses on pre-positioning for potential disruption of U.S. critical infrastructure) and Flax Typhoon (which specializes in living-off-the-land techniques against similar sectors). All three reflect a coherent PRC strategic objective: establishing persistent, undetected access inside critical networks that can be activated for intelligence collection — or disruption — at a time of geopolitical necessity.
Telecommunications backbone infrastructure is particularly valuable because of its intelligence collection geometry. A persistent presence on a backbone router provides visibility into every unencrypted communication traversing that device — a passive collection capability that would otherwise require legal process in each jurisdiction. The advisory notes that at least one compromised provider's systems were used to access networks operated under U.S. court-authorized surveillance orders, a level of access that represents a direct counterintelligence risk.
The campaign's reliance on known, unpatched vulnerabilities rather than zero-days carries an important strategic message: these actors are patient, well-resourced, and willing to wait years for organizations to fail at basic patch management. The most effective defense is not exotic threat intelligence — it is a maintained patch program and a network architecture that treats management plane access as a security boundary.
Conclusion
Salt Typhoon's global telecom espionage campaign is active, attributed with high confidence, and built on vulnerabilities organizations had years to patch. The immediate priorities for network operators are patching CVE-2023-20198, auditing router ACLs for unauthorized entries, and scanning for unexpected GRE tunnels — the three most reliably documented initial-access and persistence mechanisms. Organizations that transit major telecom providers should treat end-to-end encryption of sensitive traffic as a baseline requirement, not an optional control.
For any query contact us at contact@cipherssecurity.com
