A bulletin about persistent cyberattacks targeting unpatched Cisco IOS XE devices in the nation was released by the Australian Signals Directorate (ASD). According to the intelligence agency, the activity entails exploiting CVE-2023-20198 (CVSS score:
10.0).
Since 2023, the security flaw has been actively exploited in the wild; in recent months, threat actors connected to China, such as Salt Typhoon, have used it as a weapon to compromise telecom companies. The malware is thought to have infected up to 400 devices in Australia since July 2025, with 150 of those devices being infected in October alone. According to the agency, in order to stop future exploitation attempts, system operators must apply the patches, restrict public access to the web user interface, and adhere to the necessary hardening guidelines issued by Cisco.
The threat actors are able to recognize when the implant is removed and are re-infecting the devices, according to the agency's assessment. This is due to the fact that devices for which the agency has previously notified impacted entities have been re-exploited. It cannot endure system reboots because it lacks a persistence mechanism.
The threat actor may, nevertheless, reintroduce the malware and regain access to it.