Cisco Alerts on Active Exploitation of New IOS XE Zero-Day Vulnerability

October 16, 2023

Cisco has alerted administrators about a severe, unpatched zero-day vulnerability in its IOS XE Software, which is currently being actively exploited. This critical flaw, tagged as CVE-2023-20198, allows attackers to gain full administrative rights and total control over affected routers. The vulnerability specifically impacts physical and virtual devices that have the Web User Interface (Web UI) feature and the HTTP or HTTPS Server feature enabled.

The company disclosed, "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks." The successful exploitation of this vulnerability enables an attacker to create an account on the affected device with privilege level 15 access, effectively giving them full control over the compromised device and potentially allowing further unauthorized activity.

The exploitation of this vulnerability was first detected on September 28 by Cisco's Technical Assistance Center (TAC) following reports of unusual activity on a customer device. Further investigation revealed that the malicious activity, which involved the creation of a local user account with the username "cisco_tac_admin" from a suspicious IP address, began as early as September 18. On October 12, additional related activity was detected, involving the creation of another local user account, "cisco_support", from a different suspicious IP address. The threat actor also deployed a malicious implant to execute arbitrary commands at the system or IOS levels.

Cisco assessed that the activities in September and October were likely carried out by the same actor. The company suggested that the first cluster of activity could have been the actor's initial attempt and code testing, while the October activity seemed to indicate the actor expanding their operation to establish persistent access via the implant deployment.

Cisco advised administrators to disable the HTTP server feature on internet-facing systems to remove the attack vector and prevent incoming attacks. The company also recommended that organizations vigilantly monitor for unexplained or newly created user accounts, which could be potential indicators of malicious activity associated with this threat.

In a separate incident last month, Cisco urged customers to patch another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software that was being targeted by attackers.

Related News

• CISA Identifies Five Newly Exploited Vulnerabilities in Popular Software
• Cisco Addresses Critical Security Flaw in Emergency Responder
• New Zero-Day Vulnerability in Cisco IOS Poses Double Threat
• Cisco Calls on Administrators to Address Zero-Day IOS Software Vulnerability

Latest News

• ToddyCat's Covert Operations: Asian Telecommunication and Government Bodies under Attack
• Active Cyberattacks Exploit Unprotected Citrix NetScaler Gateways
• Unpatched WS_FTP Servers Now a Target for Ransomware Attacks
• SEC Probes Progress Software Over MOVEit Ransomware Attack
• High-Severity curl Vulnerability Not as Threatening as Initially Feared