The FBI and CISA, along with a coalition of other international cybersecurity agencies, have released a new Cybersecurity Advisory, CSA AA25-239A, about Salt Typhoon and other Chinese State-Sponsored Advanced Persistent Threat (APT) groups.
The new guidance includes specific details about protecting firmware from attacks, as well as CVEs in Cisco and Palo Alto equipment being targeted by Salt Typhoon.
This release is an enormous step forward, since historically the direct attribution of attacks to specific threat actors is challenging, and the publicly released details usually remain vague. When Eclypsium wrote about Salt Typhoon in December, 2024, there was limited information available about specific CVEs and MITRE TTPs associated with Salt Typhoon. This new guidance offers more detail, and therefore offers defenders a greater toolset for defending against PRC APTs.
This Cybersecurity Advisory names dozens of CVEs and TTPs from the MITRE ATT&CK Framework that have been observed by any of the 25+ co-sealing agencies that worked together to release this Cybersecurity Advisory.
The new guidance also clarifies that as CISA and other government agencies do not adopt the same naming conventions for APTs as private companies and threat researchers, who also have their own individual standards, these CVEs and TTPs are likely from a matrix of PRC APTs, and not strictly attributed to a single actor like Salt Typhoon.
Eclypsium Fulfills Firmware Security Requirements Against Salt Typhoon
The new cybersecurity advisory offers specific guidance for securing against firmware based attack tactics, techniques, and procedures known to be used by Salt Typhoon and other Chinese APTs. Eclypsium can support detection of vulnerable firmware, and hardening of network devices and firmware to protect against compromise.
| CISA Guidance | Eclypsium Approach |
| Perform hash verification on firmware and compare values against the vendor’s database to detect unauthorized modification to the firmware. Ensure that the firmware version is as expected. | Eclypsium has the largest database of known-good firmware hashes, at over 12 million and growing, for determining whether deployed firmware is up to date, compromised, or otherwise not-as-expected. |
| Compare hashes of images both on disk and in memory against known-good values. Reference the Network Device Integrity (NDI) Methodology or Network Device Integrity (NDI) on Cisco IOS Devices for more information. | Eclypsium compares hashes against known-good values, but also goes further by extracting, decompiling, and disassembling firmware on deployed devices. Eclypsium uses a combination of behavioral detection methods and AI analysis to discover known and unknown vulnerabilities in firmware. |
| Use the product’s run-time memory validation or integrity verification tool to identify any changes to the run-time firmware image. | Eclypsium monitors firmware integrity over time continuously at Enterprise scale. Our customers are monitoring firmware integrity on hundreds of thousands of devices to discover unauthorized changes to firmware. |
| Where supported by the platform, enable image and configuration integrity features, such as signed image enforcement and secure configuration checkpoints. Alert on any boot-time or run-time verification failure. | Eclypsium monitors both firmware and configuration integrity across a wide range of devices, including Cisco devices like those targeted by Salt Typhoon. Eclypsium can alert on integrity changes and integrate with workflow and response technologies like SIEM and SOAR to drive a speedy response. Eclypsium can also trigger alerts when it detects unsecured configuration, or when configurations violate the principles of device hardening. |
| Check any available file directories that may exist (flash, non-volatile random-access memory [NVRAM], system, etc.) for non-standard files. | Sophisticated threat actors are likely to obfuscate file names or hide malicious code in existing files rather than creating obvious new files in unexpected locations. Eclypsium does not scan all available file directories, but does scan the firmware itself for unexpected writable regions and other characteristics and behaviors that represent risk. |
Eclypsium Salt Typhoon CVE and TTP Coverage
Here we’ll list the CVEs named in the new cybersecurity advisory, and describe how Eclypsium offers coverage, along with another CVE not included in CISA’s document, but associated with Salt Typhoon in a Trend Micro report from November, 2024.
| CVE Used by Salt Typhoon | Eclypsium Coverage |
| CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass) | Eclypsium detects the presence of vulnerable Ivanti products and detects indicators of compromise showing that this attack may be actively underway in the environment |
| CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations. | Eclypsium can both discover the presence of vulnerable Palo Alto assets subject to this CVE in the environment, and detect known malicious behavior in PAN-OS at system level. |
| CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root) [T1068] | Eclypsium can detect the presence of vulnerable Cisco gear in the environment, and can detect malicious behavior associated with this CVE, as well as the frequently chained CVE-2023-20198. |
| CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability | Eclypsium can detect the presence of vulnerable systems in the environment. If the device is running vulnerable firmware, Eclypsium inspects device configurations looking for enabled features that make the device exploitable. Eclypsium also inspects device logs, searching for signs of post exploitation. Eclypsium helps harden devices against this vulnerability by flagging web UI management misconfiguration and other risk factors. |
| CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerability | Eclypsium is able to discover vulnerable firmware versions subject to this CVE. |
| CVE-2022-3236 – Code injection vulnerability in Sophos firewalls. | Eclypsium is able to detect vulnerable versions subject to this CVE. Note: This CVE is not included in CISA’s guidance, but has been associated with Salt Typhoon since at least November, 2024, when a Trend Micro report described observations of Salt Typhoon and other PRC APTs. |
Persistence, Lateral Movement, and Data Collection Techniques
The persistence, lateral movement, and collection techniques in the FBI and CISA’s cybersecurity advisory are not matched with specific CVEs, but are labeled with relevant T-codes from the MITRE ATT&CK for Enterprise framework, version 17. These techniques range from basic to complex living off the land techniques and cannot be directly associated with one single vulnerability.
Many of the Persistence, Lateral Movement, and Data Collection techniques referenced focus on living off the land techniques that take advantage of network ports and protocols which fall outside the scope of Eclypsium’s coverage.
Assessing Your Salt Typhoon Attack Surface
One pillar of a strong cybersecurity program is an up-to-date asset inventory. This should include not only knowledge of which technologies and versions are present in your environment, but of the sub components and their firmware and firmware versions in each component.
Eclypsium can discover and inventory assets and their components in the enterprise environment. This enables the platform to provide a thorough report of assets with:
- Known vulnerabilities, including those exploited by Salt Typhoon, Volt Typhoon, and other Chinese APTs.
- Integrity lapses indicating potential malicious modification of firmware.
- Unauthorized or counterfeit components within endpoints and networking hardware, including Cisco devices and Palo Alto firewalls like those targeted by Salt Typhoon, as well as routers, switches, firewalls, and other network infrastructure from other vendors.
CISA also released recent guidance for the minimum SBOM requirements in 2025. And the recent EU Cyber Resilience Act places heavy emphasis on SBOMs that cover all integrated components of a digital product, including firmware. As cyberattackers continue to target network infrastructure, the laws and guidelines issued by governments are catching up to the new reality of this growing cyberattack surface.
Further Reading
It is a positive sign that CISA included firmware protection guidance in their Salt Typhoon advisory, as it demonstrates increasing awareness and focus on the increasingly targeted firmware attack surface. Grab our white paper on the Top Firmware and Hardware Attack Vectors to learn more about this urgent cybersecurity trend.
For even more info on defending against firmware attacks, read our deep dive into MITRE ATT&CK for Enterprise tactics, techniques, and procedures that involve firmware, with attack examples providing real world details for how attackers use firmware to intrude and persist in target environments.
Eclypsium offers a free assessment of Salt Typhoon vulnerabilities and potential exposures to qualified organizations. Get the details of our Salt Typhoon Risk Evaluation, and reach out to see if you qualify.
