Zero-Day Alert: Unpatched Vulnerability in Cisco IOS XE Systems Leads to Thousands of Compromises

October 17, 2023

Cisco recently disclosed a severe vulnerability, identified as CVE-2023-20198, in its IOS XE operating system, warning about active exploit activity. The flaw, which has a severity rating of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE. Cisco observed an attacker leveraging this vulnerability to gain administrator level privileges on IOS XE devices. The attacker then exploited an older remote code execution flaw from 2021, CVE-2021-1435, to install a Lua-language implant on the affected systems.

The scope of the infections appears to be much larger than initially suggested by Cisco's security advisory. At least 10,000 Cisco IOS XE systems have been found with the implant, according to a scan of only half of the affected devices visible on search engines like Shodan and Censys. The compromised systems are widely distributed globally, suggesting a non-localized threat.

Determining whether the attacks are opportunistic or targeted has proven challenging. While opportunistic attacks typically involve threat actors using publicly available or researcher-developed proof-of-concept exploits, the activity targeting CVE-2023-20198 seems to involve a zero-day exploit and a custom implant. However, the large number of exploited systems suggests a more indiscriminate approach. All compromised Cisco IOS XE systems carry the same implant, indicating a single threat actor behind the attacks.

The initial auth-bypass vulnerability remains unpatched, making it easy to find vulnerable targets through a simple Shodan query. Researchers have also reported Internet-wide exploit activity targeting the Cisco zero-day vulnerability, with the threat actor seemingly attempting to exploit every affected system they can find. The strategy appears to be to exploit all systems first and then determine which are of interest.

Cisco has yet to release a patch for the zero-day threat but has recommended that organizations with affected systems immediately disable the HTTPS Server feature on Internet-facing IOS XE devices. Cisco also updated its advisory to note that controlling access to the HTTPS Server feature using access lists is an effective mitigation. However, organizations need to be mindful when implementing these access controls due to the potential for interrupting production services.

Cisco is currently working on a software fix for the vulnerability. In the meantime, it reiterated that customers should immediately implement the steps outlined in the security advisory.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.