Cisco has made public a new high-severity zero-day vulnerability, CVE-2023-20273, that is currently being exploited to deploy harmful implants on IOS XE devices. This follows the recent unmasking of another zero-day, CVE-2023-20198, which was used to compromise these devices. Both vulnerabilities are expected to be patched by Cisco, with fixes to be released to customers starting October 22.
The company stated, "Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22. The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity."
Earlier this week, Cisco revealed that unauthorized attackers have been exploiting the CVE-2023-20198 authentication bypass zero-day since at least mid-September to infiltrate IOS XE devices and create user accounts named "cisco_tac_admin" and "cisco_support." The newly disclosed CVE-2023-20273 privilege escalation zero-day is then used to gain root access and take complete control over Cisco IOS XE devices to deploy malicious implants that allow them to execute arbitrary commands at the system level.
According to estimates from Censys and LeakIX, over 40,000 Cisco devices running the vulnerable IOS XE software have already been compromised by hackers using the two still-unpatched zero-days. Orange Cyberdefense CERT reported a day later that it discovered malicious implants on 34,500 IOS XE devices.
Cisco IOS XE is used in a range of networking devices including enterprise switches, access points, wireless controllers, and various types of routers. A Shodan search indicates that more than 146,000 vulnerable systems are currently exposed to potential attacks.
While security updates are not yet available, Cisco has advised administrators that they can block incoming attacks by disabling the vulnerable HTTP server feature on all internet-facing systems. The company stressed, "We strongly recommend organizations that may be affected by this activity immediately implement the guidance outlined in Cisco's Product Security Incident Response Team (PSIRT) advisory." Administrators are also urged to look for suspicious or recently created user accounts as potential indicators of malicious activity related to these ongoing attacks.
Last month, Cisco cautioned its customers to patch another zero-day bug (CVE-2023-20109) in its IOS and IOS XE software, which was also targeted by attackers.