RedMike Exploits Cisco Vulnerabilities in Global Espionage Campaign

February 18, 2025

Insikt Group, a cybersecurity research firm, has discovered an ongoing global cyber espionage campaign led by the Chinese state-sponsored group, RedMike. The group is also known as Salt Typhoon. RedMike has been exploiting privilege escalation vulnerabilities, specifically CVE-2023-20198 and CVE-2023-20273, in Cisco IOS XE devices. This allows them to gain persistent access to critical network infrastructures of targeted organizations.

Despite facing U.S. sanctions and extensive media coverage, RedMike continues to target high-value organizations. These include a U.S.-based affiliate of a UK telecom company, a South African telecommunications provider, and over 1,000 Cisco devices globally between December 2024 and January 2025.

According to Insikt Group, “RedMike’s exploitation of telecommunications infrastructure goes beyond technical vulnerabilities and represents a strategic intelligence threat.” The group first exploits the Cisco IOS XE web user interface (UI) vulnerability (CVE-2023-20198) to escalate privileges and create a new high-level user account. This is the initial stage of RedMike’s attack, enabling them to execute arbitrary commands on vulnerable devices.

Once initial access is established, RedMike exploits CVE-2023-20273, an associated privilege escalation flaw, to gain root privileges. With full administrative access, the attackers can modify device configurations and establish persistent backdoors. Insikt Group reports that “RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.” By leveraging GRE tunnels, RedMike maintains covert, encrypted communication channels, enabling them to exfiltrate data undetected while bypassing security controls.

RedMike’s targets extend beyond telecommunications companies. Universities across Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States, and Vietnam have also been compromised, particularly those engaged in research on telecommunications, engineering, and emerging technologies. The report notes, citing previous cyberattacks by APT40, RedGolf (APT41), and RedBravo (APT31) on academic institutions, that “Universities are prime targets for Chinese state-sponsored threat activity groups to acquire valuable research data and intellectual property.”

Insikt Group confirmed that seven Cisco devices communicating with RedMike’s infrastructure were linked to high-value networks. These compromised devices provide RedMike with persistent access to high-value networks, facilitating data interception, surveillance, and potential service disruption. Insikt Group explains that “RedMike’s targeting of lawful intercept programs and U.S. political figures highlights the strategic intelligence objectives behind these operations.”

RedMike’s campaign is part of a larger shift by Chinese state-sponsored hackers toward exploiting unpatched public-facing appliances for initial access. The report states that “Sophisticated Chinese threat activity groups have shifted heavily toward exploiting these devices for initial access over the past five years.”

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.