A critical flaw in Cisco IOS XE software is being widely exploited, according to cybersecurity firm VulnCheck. On Monday, Cisco disclosed a zero-day vulnerability, known as CVE-2023-20198, in its IOS XE software that is currently under active exploitation. This vulnerability affects all instances of the software with its web UI feature enabled and allows remote attackers to take control of the system.
According to Cisco’s advisory, the vulnerability allows an unauthenticated attacker to create an account on an affected system with full privilege access. The attacker can then use this account to gain control of the system. The attack involves the use of an implant containing a configuration file, as explained in a blog post by Cisco Talos.
Currently, there is no patch available for the vulnerability. In response, Cisco has recommended that customers disable the HTTP Server feature on all internet-facing systems. The advisory also includes instructions for disabling the feature and indicators of compromise to help customers identify if their systems have been affected.
VulnCheck conducted a vulnerability scan and discovered thousands of compromised hosts in the wild. The security vendor released a scanner to help customers detect the implant on their instances. Jacob Baines, CTO of VulnCheck, emphasized the severity of the situation, stating that privileged access on the IOS XE software presents opportunities for attackers to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks.
Netlas.io, an internet scan provider, reported that it had detected 80,714 instances likely vulnerable to CVE-2023-20198. The vulnerability has been given a 10.0 rating and allows remote attackers to create an account on an affected system with high access.
To help organizations identify the malicious implant, Cisco provided a command to check for it on physical and virtual devices. According to Cisco Talos researchers, the implants are not persistent and can be removed by rebooting the systems. However, they caution that any new admin accounts created by the attacker will remain active even after a reboot. Therefore, organizations should be vigilant in looking for suspicious accounts that may have been created recently.
When questioned about the extent of exploitation activity, a Cisco spokesperson declined to answer. Further comments from Cisco are expected as TechTarget Editorial has reached out to the company for additional information.
This critical flaw in Cisco IOS XE software highlights the ongoing challenge of ensuring the security of network devices. As cyber threats continue to evolve, it is crucial for organizations to promptly address vulnerabilities and implement necessary security measures to protect their systems and data.