Connect with us

Hi, what are you looking for?


Incident Response

Cisco Finds Zero-Day Vulnerability in ‘Vault 7’ Leak

Cisco has warned customers that the Vault 7 files obtained by WikILeaks contain information on a critical vulnerability affecting many of the company’s switches. Patches are not available, but Cisco has provided some mitigation advice.

Cisco has warned customers that the Vault 7 files obtained by WikILeaks contain information on a critical vulnerability affecting many of the company’s switches. Patches are not available, but Cisco has provided some mitigation advice.

The Vault 7 leak allegedly contains information on the CIA’s hacking capabilities, including exploits targeting mobile devices, desktop systems, networking equipment and IoT devices. Some of the tools also appear to target the products of cybersecurity companies, but an initial investigation showed that many of the exploited vulnerabilities were patched several years ago.

An initial analysis conducted by Cisco revealed the existence of malware targeting various routers and switches. This malware, designed to evade detection and ensure that it would not cause the compromised device to crash, is capable of collecting and exfiltrating data, executing commands, and manipulating web traffic.

On Friday, Cisco reported that its investigation also revealed the existence of a zero-day vulnerability affecting the Cluster Management Protocol (CMP) processing code of its IOS and IOS XE software.

The flaw, tracked as CVE-2017-3881, allows a remote, unauthenticated attacker to cause affected switches to reload or execute arbitrary code with elevated privileges and gain full control of the device. The security hole can be exploited via Telnet.

Cisco’s analysis showed that the zero-day affects over 300 switches and modules, including Catalyst, Embedded Service, IE and ME switches, and RF Gateway 10 devices. Some of the affected models are no longer sold and supported.

Until patches become available, customers have been advised to consider disabling the Telnet protocol for incoming connections and use only SSH. If disabling Telnet is not possible, users can reduce the attack surface via access control lists (ACLs).

Advertisement. Scroll to continue reading.

Cisco has made available an online tool to help users determine if their IOS and IOS XE software is affected by the zero-day.

The networking giant said it was not aware of any attacks exploiting this vulnerability. WikiLeaks did say on Twitter that the “CIA was secretly exploiting” the flaw, but it’s unclear if the whistleblower organization has any evidence or if it’s just an assumption.

WikiLeaks has not made public any actual tools or exploits, but it has promised to provide detailed information to tech companies. However, the organization wants firms to agree to certain conditions, including a responsible disclosure policy that appears to be inspired by Google’s policy.

According to WikiLeaks, only Mozilla has been provided information on the vulnerabilities in the Vault 7 leak, while “Google and some other companies” only confirmed receiving the initial notification. WikiLeaks says “most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies.” WikiLeaks could soon release information on company responsiveness.

The CIA has neither confirmed nor denied the authenticity of the leaked files, but the intelligence agency has assured the public that it’s not conducting electronic surveillance on people in the U.S.

The White House has warned that there could be legal repercussions for companies using the information obtained by WikiLeaks as classified files remain classified even if they are made public.

Related: Apple, Google Say Users Protected Against CIA Exploits

Related: “Vault 7” Leak Shows CIA Learned From NSA Mistakes

Related: Industry Reactions to CIA Hacking Tools

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.