Cisco Talos confirmed that a Cisco vulnerability from seven years ago was used by China-based Salt Typhoon threat group to infiltrate the networks of major U.S. telecom companies.
In abusing the flaw — CVE-2018-0171 — Cisco Talos said the advanced persistent threat group (APT) used valid, stolen credentials to maintain access for long periods of time, in one case up to three years.
Cisco Talos said in a Feb. 20 blog post that while there were some reports that Salt Typhoon abused three other known Cisco vulnerabilities, the networking giant had not identified any evidence to confirm those claims.
The case brought to light how attackers can abuse flaws from several years ago to wreak havoc on important critical infrastructure. It also underscored the importance of identity security because the incident involved stolen credentials.
Darren Guccione, co-founder and CEO of Keeper Security, said Salt Typhoon’s campaign reminds us that identity security remains central to cyber resilience. Guccione pointed out that stolen credentials let the group persist in networks for years, highlighting the need for strong password policies, enterprise password management, and multi-factor authentication.
“But stopping credential theft isn’t enough,” said Guccione. “Organizations must also ensure that attackers can’t escalate privileges or move laterally once inside.
"Beyond credential theft, the fact that Salt Typhoon exploited an unpatched vulnerability from 2018 exemplifies how outdated systems can become long-term liabilities. Effective cybersecurity isn’t just about sealing off the front door — it requires vigilance in closing known security gaps and limiting damage when defenses fail.”
Rom Carmel, co-founder and CEO at Apono, added that the incident serves as yet another wake-up call for the industry: Legacy security gaps are still being exploited, and traditional perimeter-based defenses are no longer enough.
"Time and again, we see everyone from criminal gangs to APTs using tried-and-true methods like stolen credentials and known vulnerabilities to gain footholds, escalate privileges, and access sensitive resources,” said Carmel. “As organizations expand their cloud footprint, their identity attack surface grows, offering hackers more opportunities to exploit security gaps.”
Lawrence Pingree, vice president at Dispersive, said had proper multifactor authentication and zero-trust network isolation been applied, much of this Salt Typhoon exploit activity would have been mitigated.
“Taking sensitive systems off the wide open internet is a key ingredient in preventing widespread exploitation,” said Pingree. “Where possible, administrative systems and access should be handled separately from normal user VPN access as well.”
