Cyber Incident Victim: Cisco
Date:
Apr 2020
Location:
United States of America
Summary
A cybersecurity breach at Cisco involved unauthorized access to backend infrastructure supporting its VIRL-PE service, exploiting critical SaltStack vulnerabilities (CVE-2020-11651 and CVE-2020-11652) that enabled authentication bypass and directory traversal. Attackers compromised six servers providing testing environments for network setups, with the incident linked to broader exploitation campaigns targeting multiple organizations. The company remediated affected systems by applying SaltStack updates, though the breach's specific impact wasn't detailed; historical patterns involving these vulnerabilities suggest potential cryptominer deployments. Cisco released patches for both VIRL-PE and Cisco Modeling Labs to address the underlying flaws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 28, 2020, Cisco disclosed a security breach affecting backend infrastructure supporting its VIRL-PE (Internet Routing Lab Personal Edition) service, a platform for network testing. The incident involved unauthorized access to six specific servers—us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info, and vsm-us-2.virl.info—through exploitation of vulnerabilities in SaltStack, an open-source software package integrated into Cisco’s products. Attackers leveraged two critical SaltStack flaws, CVE-2020-11651 and CVE-2020-11652, which enabled authentication bypass and directory traversal, respectively. These vulnerabilities had been publicly disclosed on April 30, 2020, and were actively exploited across multiple organizations, including LineageOS, Ghost, Digicert, Xen Orchestra, and Algolia, prior to Cisco’s breach. The compromised servers provided backend functionality for VIRL-PE but were not part of Cisco’s core corporate systems or customer-facing production environments. Cisco did not specify the exact nature of the breach but acknowledged the attackers’ access to the infrastructure.
Cisco completed remediation efforts on May 7, 2020, by deploying SaltStack software updates to patch the vulnerabilities across all affected servers. The company also released security updates for VIRL-PE and Cisco Modeling Labs (CML) to address the underlying SaltStack flaws. While Cisco did not confirm specific malicious activities during the breach, industry observations of similar SaltStack-related incidents frequently involved the deployment of cryptocurrency mining software. The incident underscored risks associated with third-party software dependencies, particularly given SaltStack’s widespread use in enterprise environments. No customer data compromises or operational disruptions to Cisco’s broader services were reported. The disclosure aligned with broader cybersecurity advisories urging rapid patching of SaltStack vulnerabilities following their late-April disclosure.