Cisco has alerted administrators about a severe, unpatched zero-day vulnerability in its IOS XE Software, which is currently being actively exploited. This critical flaw, tagged as CVE-2023-20198, allows attackers to gain full administrative rights and total control over affected routers. The vulnerability specifically impacts physical and virtual devices that have the Web User Interface (Web UI) feature and the HTTP or HTTPS Server feature enabled.
The company disclosed, "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks." The successful exploitation of this vulnerability enables an attacker to create an account on the affected device with privilege level 15 access, effectively giving them full control over the compromised device and potentially allowing further unauthorized activity.
The exploitation of this vulnerability was first detected on September 28 by Cisco's Technical Assistance Center (TAC) following reports of unusual activity on a customer device. Further investigation revealed that the malicious activity, which involved the creation of a local user account with the username "cisco_tac_admin" from a suspicious IP address, began as early as September 18. On October 12, additional related activity was detected, involving the creation of another local user account, "cisco_support", from a different suspicious IP address. The threat actor also deployed a malicious implant to execute arbitrary commands at the system or IOS levels.
Cisco assessed that the activities in September and October were likely carried out by the same actor. The company suggested that the first cluster of activity could have been the actor's initial attempt and code testing, while the October activity seemed to indicate the actor expanding their operation to establish persistent access via the implant deployment.
Cisco advised administrators to disable the HTTP server feature on internet-facing systems to remove the attack vector and prevent incoming attacks. The company also recommended that organizations vigilantly monitor for unexplained or newly created user accounts, which could be potential indicators of malicious activity associated with this threat.
In a separate incident last month, Cisco urged customers to patch another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software that was being targeted by attackers.