Tuesday, April 29, 2025
HomeCiscoCyber Threat Actors Hacked Cisco Servers by Exploiting SaltStack Vulnerabilities

Cyber Threat Actors Hacked Cisco Servers by Exploiting SaltStack Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Recently, the attackers hacked a number of Cisco Systems servers using the Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) platform; it’s a service that allows users to create and test network topologies (the consortium of the elements of a network) without installing the device.

In this attack, the cybercriminals have exploited the critical vulnerabilities in the SaltStack Salt open-source framework.

It is widely used for automation services, as well as in the implementation of data center systems management.

- Advertisement - Google News

According to Cisco experts, the Cisco Modeling Labs Corporate Edition (CML) is also vulnerable to attacks because it includes a version of SaltStack that runs the vulnerable Salt Master (“master”) installation.

In general, CML allows users to simulate Cisco devices and third-party devices. At the same time, the VIRL-PE enables the users to design and test virtual networks in a development and testing environment, as we told earlier.

Vulnerable Products

To make it more clear, here are the products that are affected by these vulnerabilities:-

  • Cisco Modeling Labs Corporate Edition (CML)
  • Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Servers That Were Compromised

According to the company, the cyber attackers have managed to compromise six server infrastructure, and here they are:- 

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

From the image that we have mentioned below, you can see the example that shows a device where the salt-master service is enabled:-

Security Flaws

The vulnerabilities correspond to an authentication bypass that is identified as CVE-2020-11651, and a directory traversal that is identified as CVE-2020-11652.

Collectively, these two flaws can allow the attackers to gain unauthorized access to the entire file system of the servers that are configured in SaltStack.

Moreover, Cisco updated the compromised servers on May 7, 2020, and applied all the necessary patches that address authentication bypass vulnerabilities (CVE-2020-11651) and directory traversal vulnerabilities (CVE-2020-11652) that affect SaltStack servers.

Cisco has released two essential updates for the VIRL-PE services and related product Cisco Modeling Labs Corporate Edition. Apart from this, the security experts point out that without the updates, any version of both services could remain vulnerable to these security flaws.

The SaltStack Salt is meant to observe and update the servers, as it’s an automation and remote execution engine, that allows its users to run commands on multiple systems utilizing the master node that applies the changes to target servers.

Apart from this, Cisco is not the first and only company that was attacked by the attackers using these flaws, as earlier the attackers have also attacked other popular companies as well using these security flaws. 

Ghost reported that hackers hacked their servers and infected their systems with bitcoin mining malware using these security flaws in early May.

Not only that, even Xen-Orchestra have also reported that they have suffered from the same problem. However, we strongly recommend you all to update your devices immediately with the latest security patch released by Cisco to stay secure.

So, what do you think about this? Share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

A Seven‑Year‑Old Cisco Flaw Now Lets Hackers Execute Code Remotely on Network Gear

A Cisco’s Smart Install protocol (CVE-2018-0171), first patched in 2018, remains a pervasive threat...

CISA Warns of Cisco Smart Licensing Utility Credential Flaw Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning organizations...

Cisco Webex for BroadWorks Flaw Opens Door for Attackers to Access Credentials

Cisco Systems has disclosed a security vulnerability in its Webex for BroadWorks unified communications...