CISA AA25-239A: Countering Chinese State-Sponsored Actors Compromising Network Devices Worldwide

Chinese state-sponsored cyber actors are conducting long-running intrusion campaigns against telecoms and other critical networks by exploiting known vulnerabilities in edge and core network devices. As of August 28, 2025, CISA’s joint advisory AA25-239A reports widespread targeting of backbone, provider edge (PE), and customer edge (CE) routers, with persistence achieved via configuration tampering, tunneling, and credential collection; patches and detailed mitigations are available, and CISA has published STIX IOCs to aid hunting [10]. (cisa.gov)

Overview

AA25-239A, released on August 27, 2025, is a multinational joint advisory co-sealed by U.S., Five Eyes, and several European partners. It emphasizes that the actors have focused on abusing publicly known CVEs on internet-exposed devices and trusted interconnections, not on zero-days to date, and it maps observed behavior to MITRE ATT&CK and D3FEND for enterprise and network infrastructure [10]. (cisa.gov)

CISA’s technical narrative describes how the actors pivot across provider and customer links (trusted relationships), enable traffic mirroring (SPAN/RSPAN/ERSPAN), and create GRE/IPsec tunnels to collect credentials (e.g., TACACS+/RADIUS) and exfiltrate traffic while blending into high-volume nodes [10]. (cisa.gov)

Impact of CISA AA25-239A

• Strategic objectives include intelligence collection by monitoring authentication traffic, device configurations, and selected customer segments of ISPs. Persistent compromise of routers and switches enables ongoing C2, credential harvesting, and covert data exfiltration [10]. (cisa.gov)
• The advisory notes no observed zero-day exploitation in this campaign cluster; instead, the actors systematically exploit known, high-impact network-edge vulnerabilities [10]. (cisa.gov)

Affected Products & Versions (patch-priority focus)

The actors have historically exploited the following CVEs on exposed devices. Prioritize patching and hardening in this order based on prevalence and observed exploitation:

1. Cisco IOS XE Web UI (CVE‑2023‑20198, CVE‑2023‑20273). Attackers create local privilege-15 users via the WSMA Web UI endpoints and chain a post-auth command injection to gain root, then implant and persist. Cisco’s advisory lists fixed trains; CISA guidance enumerates first-fixed versions (17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a) [1], and the KEV catalog entries confirm active exploitation [11]. (sec.cloudapps.cisco.com, cisa.gov)
2. Palo Alto Networks PAN‑OS GlobalProtect (CVE‑2024‑3400). Unauthenticated RCE affects PAN‑OS 10.2/11.0/11.1 with GlobalProtect portal/gateway enabled; fixed in 10.2.9‑h1, 11.0.4‑h1, 11.1.2‑h3 and subsequent hotfixes; exploitation in the wild is acknowledged by the vendor and by CISA alerts [3], [13]. (security.paloaltonetworks.com, cisa.gov)
3. Ivanti Connect Secure / Policy Secure (CVE‑2024‑21887 chained with CVE‑2023‑46805). Chaining enables unauthenticated RCE on affected 9.x and 22.x releases; Ivanti issued staggered patches and guidance in January–February 2024 [4]; KEV confirms exploitation [12]. (ivanti.com, cisa.gov)
4. Cisco IOS/IOS XE Smart Install (CVE‑2018‑0171). RCE on devices with Smart Install enabled; Cisco PSIRT provides fixes and remediation guidance; this CVE continues to see opportunistic and state-backed exploitation [2]. (sec.cloudapps.cisco.com)

Note: AA25-239A cautions that additional devices (e.g., certain firewalls, VPNs, routers, and switches) may be targeted as part of evolving tradecraft; defenders should prioritize patching known exploited vulnerabilities listed in CISA’s KEV and harden all internet-facing management surfaces [10]. (cisa.gov)

Exposure & Exploitability

• Initial access: exploitation of public-facing services on network devices using known CVEs (e.g., Ivanti, PAN‑OS, Cisco IOS XE), often at scale across many IPs; no zero-day exploitation observed in this activity set [10]. (cisa.gov)
• Privilege escalation and persistence: creation of new local admin accounts; ACL tampering; enabling SSH on high, non-default ports; adding SSH authorized keys; and use of on-box containers (Cisco Guest Shell) to stage tools and pivot [10]. (cisa.gov)
• Defense evasion and exfiltration: tunneling (GRE/mGRE/IPsec), abuse of ISP peering links, and mirrored captures to hide C2/exfil in normal backbone traffic [10]. (cisa.gov)

Detection & Telemetry

Prioritize targeted hunts on devices and management planes:

Cisco IOS XE (Web UI/WSMA)

• Hunt for HTTP POST requests to /webui_wsma_Http or /webui_wsma_Https (case-insensitive), including double-encoded path variants; presence of “Proxy‑Uri‑Source” header on traffic to /webui_wsma_* indicates a patched device handling the request [10]. (cisa.gov)
• Review logs for newly created privilege-15 users; validate unexpected ACL entries (“access‑list 20/50/10”), non-standard SSH ports (e.g., 22×22 patterns), and changes to AAA/TACACS+/RADIUS servers [10]. (cisa.gov)

Cisco Guest Shell and on-box containers

• Inspect for unexpected enablement of Guest Shell (guestshell enable/run) and subsequent disable/destroy activity (possible anti-forensics) as well as execution of Python tooling (e.g., siet.py for Smart Install actions) within containers [10]. (cisa.gov)

Credential and traffic collection

• Search for PCAPs named tac.pcap, mycap.pcap, or similar on routers; monitor TCP/49 (TACACS+) and RADIUS flows; validate that AAA servers are not redirected to external IPs [10]. (cisa.gov)

Palo Alto Networks PAN‑OS (CVE‑2024‑3400)

• On affected PAN‑OS versions with GlobalProtect, review gpsvc.log for anomalous “failed to unmarshal session(…)” entries and validate GlobalProtect interface vulnerability-protection signatures are applied; upgrade to fixed releases or hotfixes as listed in the vendor advisory [3]. (security.paloaltonetworks.com)

Indicators of Compromise (IOCs)

• CISA provides STIX 2.1 packages with IPs, artifacts, and rules cited by AA25-239A; ingest into your TIP/SIEM for correlation [17], [18]. CISA’s page also lists example hashes (e.g., an ELF “sft” client sample) and a sample Snort signature family to detect 20198-style WSMA abuse [10]. (cisa.gov)

MITRE ATT&CK and D3FEND

• Techniques frequently observed include Exploit Public-Facing Application (T1190), Create Account (T1136.001), Protocol Tunneling (T1572), Network Sniffing (T1040), Multi-hop Proxy (T1090.003), and ACL tampering for defense evasion; mitigations map to D3FEND controls like D3‑SU (Software Update), D3‑NI (Network Isolation), and D3‑ITF (Inbound Traffic Filtering) [10]. (cisa.gov)

Mitigations & Patching/Workarounds

Patching and re-hardening

• Cisco IOS XE Web UI: Upgrade to first-fixed releases (e.g., 17.9.4a/17.6.6a/17.3.8a/16.12.10a). If Web UI is not required, disable the HTTP server (no ip http server and no ip http secure-server) on internet-exposed devices. Validate no unauthorized local users remain [1]. (sec.cloudapps.cisco.com)
• PAN‑OS (CVE‑2024‑3400): Upgrade to 10.2.9‑h1, 11.0.4‑h1, 11.1.2‑h3 or later; ensure Threat Prevention IDs are applied to the GlobalProtect interface per vendor guidance [3]. (security.paloaltonetworks.com)
• Ivanti Connect Secure/Policy Secure: Apply vendor patches for affected 9.x/22.x releases and run current integrity checks; consult the January–February 2024 updates and the Five Eyes advisory on ICT limitations during incident response [4], [14]. (ivanti.com, cisa.gov)
• Smart Install (CVE‑2018‑0171): Patch and disable Smart Install where not strictly required; restrict TCP/4786 and implement infrastructure ACLs per Cisco guidance [2]. (sec.cloudapps.cisco.com)

Hardening actions

• Segregate and lock down all device management services (SSH/HTTPS/SNMP/TACACS+/RADIUS) in an out-of-band management network or dedicated management VRF; apply Control-Plane Policing (CoPP) and prevent route leakage from data-plane/peering VRFs [10]. (cisa.gov)
• Audit for unexpected tunnels (GRE/IPsec), foreign AAA servers, packet capture/mirroring configs, and running containers; treat findings as high-fidelity indicators for compromise [10]. (cisa.gov)
• Prioritize remediation using CISA’s Known Exploited Vulnerabilities Catalog; the listed CVEs (e.g., CVE‑2023‑20198, CVE‑2023‑20273, CVE‑2024‑21887, CVE‑2024‑3400) are KEV-tracked and require expedited action [11], [12], [13], [16]. (cisa.gov, nvd.nist.gov)

If compromise is suspected

• Assume credential theft and on-box persistence; revoke device credentials/keys, rotate TACACS+/RADIUS secrets, and re-provision devices from trusted images after forensic acquisition. Validate configs for unauthorized users/ACLs/tunnels, and ingest CISA’s STIX IOCs for retrospective sweeps [10], [17], [18]. (cisa.gov)

Timeline

• March 28, 2018: Cisco publishes Smart Install RCE advisory (CVE‑2018‑0171) [2]. (cisco.com)
• October 16–25, 2023: Cisco discloses IOS XE Web UI vulnerabilities (CVE‑2023‑20198, CVE‑2023‑20273) with active exploitation; KEV entries follow [1], [16]. (sec.cloudapps.cisco.com, nvd.nist.gov)
• January–February 2024: Ivanti issues patches/updates for CVE‑2024‑21887 (with CVE‑2023‑46805 chain); Five Eyes joint advisory warns ICT could be deceived [4], [14]. (ivanti.com, cisa.gov)
• April 12, 2024: PAN‑OS CVE‑2024‑3400 disclosed; vendor confirms exploitation; CISA flags and adds to KEV [3], [13]. (security.paloaltonetworks.com)
• August 27, 2025: CISA publishes AA25‑239A detailing the campaign’s TTPs, IOCs, and mitigations [10]. (cisa.gov)

References

1. Cisco Security Advisory — Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (CVE‑2023‑20198, CVE‑2023‑20273). First published October 16, 2023; last updated November 1, 2023.
   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z (sec.cloudapps.cisco.com)
2. Cisco Security Advisory — Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (CVE‑2018‑0171). First published March 28, 2018; last updated December 15, 2022.
   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 (sec.cloudapps.cisco.com)
3. Palo Alto Networks Security Advisory — CVE‑2024‑3400 PAN‑OS GlobalProtect arbitrary file creation leading to command injection; fixed versions and exploitation status. Published April 12, 2024; updated September 11, 2024.
   https://security.paloaltonetworks.com/CVE-2024-3400/ (security.paloaltonetworks.com)
4. Ivanti — Security Update for Ivanti Connect Secure and Policy Secure Gateways (CVE‑2023‑46805, CVE‑2024‑21887 and related). January–February 2024 updates.
   https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways (ivanti.com)
5. NVD — CVE‑2023‑20198 (Cisco IOS XE Web UI authentication bypass).
   https://nvd.nist.gov/vuln/detail/CVE-2023-20198 (nvd.nist.gov)

6. NVD — CVE‑2023‑20273 (Cisco IOS XE Web UI post‑auth command injection).
   https://nvd.nist.gov/vuln/detail/CVE-2023-20273 (nvd.nist.gov)

7. NVD — CVE‑2018‑0171 (Cisco Smart Install RCE).
   https://nvd.nist.gov/vuln/detail/CVE-2018-0171 (nvd.nist.gov)

8. NVD — CVE‑2024‑3400 (PAN‑OS GlobalProtect).
   https://nvd.nist.gov/vuln/detail/CVE-2024-3400 (nvd.nist.gov)

9. NVD — CVE‑2024‑21887 (Ivanti ICS/Policy Secure command injection).
   https://nvd.nist.gov/vuln/detail/CVE-2024-21887 (nvd.nist.gov)
10. CISA Cybersecurity Advisory AA25‑239A — Countering Chinese State‑Sponsored Actors’ Compromise of Networks Worldwide to Feed Global Espionage System. Release date August 27, 2025.
    https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a (cisa.gov)

11. CISA Known Exploited Vulnerabilities (KEV) — CVE‑2023‑20198 (Cisco IOS XE Web UI).
    https://www.cisa.gov/known-exploited-vulnerabilities-catalog (filtered entry for CVE‑2023‑20198) (cisa.gov)

12. CISA Known Exploited Vulnerabilities (KEV) — CVE‑2024‑21887 (Ivanti ICS/Policy Secure).
    https://www.cisa.gov/known-exploited-vulnerabilities-catalog (filtered entry for CVE‑2024‑21887) (cisa.gov)

13. CISA Alert — Palo Alto Networks Releases Guidance for PAN‑OS CVE‑2024‑3400; exploitation acknowledged and added to KEV. April 12, 2024.
    https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400 (cisa.gov)

14. CISA/Five Eyes Advisory AA24‑060B — Threat Actors Exploit Multiple Vulnerabilities in Ivanti ICS/Policy Secure; integrity checker tool limitations.
    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b (cisa.gov)

15. CISA Guidance — Addressing Cisco IOS XE Web UI Vulnerabilities (fixed trains and response actions). Updated November 1, 2023.
    https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities (cisa.gov)

16. NVD (with KEV annotation) — CVE‑2023‑20273 (shows KEV status and dates for Cisco IOS XE post‑auth injection).
    https://nvd.nist.gov/vuln/detail/CVE-2023-20273 (nvd.nist.gov)

17. CISA STIX 2.1 IOC bundle (JSON) for AA25‑239A.
    https://www.cisa.gov/sites/default/files/2025-08/AA25-239A-Countering-Chinese-State-Sponsored-Actors-Compromise-of-Networks-Worldwide-to-Feed-Global-Espionage-System.stix_.json

18. CISA STIX 2.1 IOC bundle (XML) for AA25‑239A.
    https://www.cisa.gov/sites/default/files/2025-08/AA25-239A-Countering-Chinese-State-Sponsored-Actors-Compromise-of-Networks-Worldwide-to-Feed-Global-Espionage-System.stix_.xml