Six Cisco salt-master backend servers were compromised when attackers exploited two recently reported vulnerabilities in SaltStack Salt.

Cisco revealed the attacks in an advisory, saying the Cisco Modeling Labs Corporate Edition (CML) and the Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) were vulnerable.

In early May one or more attackers exploited the flaws in the SaltStack open-source, event-based automation and configuration management tool — disclosed and patched just days earlier — to compromise the “Salt master” servers of several prominent users, including the Ghost blogging platform, the open-source mobile operating system LineageOS, and SSL certificate provider DigiCert.

“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE,” which were upgraded on May 7 when the company found that it had fallen victim to the attackers, the advisory said. “Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised” and remediated them on May 7.

“The Cisco breach is a good reminder that the first line of defense for any organization is to make sure that their infrastructure is up to date and patched with the latest software releases,” said Jayant Shukla, CTO and cofounder of K2 Cyber Security. “It may sound obvious, but it’s also critical to make sure they are patched correctly, as misconfiguration is another common reason an attack is successful.”