Rockwell Automation has issued a warning to its customers regarding the impact of a currently exploited Cisco IOS XE zero-day vulnerability on its Stratix industrial switches. The company has identified that unidentified hackers are exploiting two zero-day vulnerabilities in Cisco IOS XE, tracked as CVE-2023-20198 and CVE-2023-20273. The attackers are creating high-privileged accounts on the affected devices and deploying a Lua-based implant that grants them full control of the system.
Shortly after Cisco disclosed the first zero-day, the cybersecurity community discovered tens of thousands of systems that had been compromised. Last week, Rockwell informed its customers that its Stratix 5800 and 5200 managed industrial Ethernet switches, which operate on the Cisco IOS XE operating system, are impacted by CVE-2023-20198. However, the devices are only affected if the IOS XE web UI feature is activated.
Rockwell's security advisory, published prior to the discovery of the second zero-day, does not mention anything about CVE-2023-20273, which attackers have been using to deliver the implant. Nevertheless, this flaw also affects the IOS XE software, indicating that it likely impacts Rockwell’s switches too.
Rockwell’s advisory disclosed that no patches were available at the time, but Cisco has since released fixes. Rockwell has pledged to provide updates as more information becomes available, highlighting that it's not aware of any attacks specifically targeting its products. 'While Rockwell Automation has no evidence of active exploitation against the Stratix product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer,' the company stated.
The US cybersecurity agency CISA issued its own advisory on Tuesday to alert organizations about Rockwell’s advisory. The ultimate objective of the attackers is still unclear. They still possess control over tens of thousands of Cisco routers and switches, and they have updated their implant in an attempt to maintain control.