Cisco has announced that it is working on fixing a critical vulnerability in its IOS XE software, which is currently being actively exploited by malicious actors. The vulnerability, named CVE-2023-20198, affects all instances of Cisco IOS XE Software with the web UI feature enabled through the “ip http server” or “ip http secure-server” commands. According to Cisco, this zero-day vulnerability allows remote, unauthenticated attackers to create an account with privileged access on an affected system, giving them control over it.
Given the severity of the vulnerability and its active exploitation, Cisco has assigned it a CVSS severity score of 10, which is the highest possible score. Unfortunately, there is currently no patch available for this vulnerability. As a result, Cisco is strongly recommending that customers disable the HTTP Server feature on all internet-facing systems until a patch is released.
To assist customers in protecting themselves, Cisco has provided instructions on how to disable the HTTP Server feature, as well as indicators of compromise and other technical details in their advisory. In line with Cisco’s advice, the Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory urging users to take the necessary precautions.
In a blog post, Cisco Talos, the threat intelligence and research group of Cisco, shared additional insights into the ongoing threat activity related to this vulnerability. They reported that signs of malicious activity were first detected on September 28, with the activity dating back to September 18. A second cluster of unusual activity was then observed on October 12. Cisco Talos believes that both clusters are likely the work of the same actor, with the second cluster building upon the initial activity to establish persistent access on compromised systems.
Cisco has emphasized its commitment to transparency in dealing with critical security issues. In a statement, a Cisco spokesperson stated that they handle these issues with top priority to ensure that customers are fully aware of the situation and know how to address it. They have been working diligently to provide a software fix for this vulnerability and urge customers to take immediate action as outlined in the security advisory.
This is not the first time Cisco has faced a zero-day vulnerability in its IOS XE software. Just last month, they disclosed another zero-day flaw, known as CVE-2023-20109, which affected vulnerable versions of the software’s Group Encrypted Transport VPN. This flaw also had the potential to allow threat actors to take control of targeted systems.
As the industry eagerly waits for Cisco to release a patch for CVE-2023-20198, it is crucial for organizations using Cisco IOS XE Software with the web UI feature enabled to follow Cisco’s recommendations and disable the HTTP Server feature. Additionally, organizations should remain vigilant and monitor their systems for any signs of compromise. Timely adoption of the necessary security measures will help mitigate the risk posed by this actively exploited vulnerability.
In conclusion, Cisco acknowledges the seriousness of the situation and is working tirelessly to address the issue. As they continue to investigate and develop a patch, it is important for users to stay informed and take proactive steps to protect their systems and networks.