Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Cisco Patches CIA Zero-Day Affecting Hundreds of Switches

Cisco has finally released an update for its IOS and IOS XE software to address a critical vulnerability believed to have been used by the U.S. Central Intelligence Agency (CIA) to target the company’s switches.

Cisco has finally released an update for its IOS and IOS XE software to address a critical vulnerability believed to have been used by the U.S. Central Intelligence Agency (CIA) to target the company’s switches.

Cisco learned of the flaw in mid-March after conducting an analysis of the Vault 7 files made available by WikiLeaks. These files describe exploits allegedly used by the CIA to hack mobile devices, desktop systems, networking equipment and IoT devices.

The vulnerability, tracked as CVE-2017-3881, affects the cluster management protocol (CMP) processing code used by Cisco’s IOS and IOS XE software. An unauthenticated attacker can exploit the flaw remotely to cause devices to reload or for arbitrary code execution with elevated privileges.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” Cisco said in its advisory.

The security hole exists due to the fact that malformed CMP-specific Telnet options are not processed correctly, and due to the failure to restrict the use of these options to internal communications between cluster members.

According to the vendor, more than 300 switches are affected, including Catalyst, Embedded Service, IE (industrial), RF and ME devices. The issue also impacts several service modules.

Cisco warned users on April 10 that an exploit targeting the vulnerability had been made public, but the weakness was only patched this week. The company did, however, share some mitigation advice when it first disclosed the problem.

The networking giant said there was no evidence of malicious exploitation, but if the exploit does belong to the CIA, the agency may have used it in targeted attacks. WikiLeaks claimed that the CIA had “secretly exploited” the vulnerability.

Cisco’s IOS software was also apparently targeted by the Equation Group, an NSA-linked threat actor whose tools were leaked online by a hacker group calling itself Shadow Brokers. Researchers determined last year that the flaw had exposed hundreds of thousands of Cisco devices to attacks.

Cisco is the only major vendor that has admitted finding a critical vulnerability in the Vault 7 files. Security firms and tech giants claim that the latest versions of their products patch a majority of the flaws. On the other hand, WikiLeaks says most companies have not made any effort to obtain the actual exploits possessed by the organization.

Related: Cisco Fixes Serious Flaws in Security, Other Products

Related: Actively Exploited Struts Flaw Affects Cisco Products

Related: Cisco Patches Critical Flaw in Aironet Access Points

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.