Unpatched Zero-Day Vulnerability Compromises Over 10,000 Cisco IOS XE Systems
October 17, 2023
A severe and unpatched vulnerability in the Cisco IOS XE operating system has been exploited, leading to over 10,000 devices being compromised worldwide. The flaw, identified as CVE-2023-20198, has been taken advantage of by an unknown threat actor to infect devices with an implant that allows for arbitrary code execution. Cisco revealed the flaw, which has a severity rating of 10 out of 10, in the Web UI component of IOS XE. It has been observed that the threat actor gained administrator level privileges on the devices and then exploited a previous remote code execution flaw from 2021 (CVE-2021-1435) to install a Lua-language implant.
The attacks have a global reach, suggesting a widespread issue. The actual number of infections is believed to be significantly higher than what was initially reported. The CTO of a company has identified at least 10,000 compromised Cisco IOS XE systems by scanning only half of the affected devices visible on search engines like Shodan and Censys. The compromised systems are geographically diverse, indicating a global issue.
The nature of the attacks, whether opportunistic or targeted, remains unclear. The attacks do not seem to follow the usual pattern of opportunistic attacks, which typically involve the use of publicly available or researcher-developed proof-of-concept exploits. Conversely, the high number of exploited systems suggests a broader, indiscriminate approach.
The identical implant found on all compromised systems points to a single threat actor being responsible for the attacks. As the initial vulnerability remains unpatched, finding vulnerable targets is as simple as a search on Shodan. The lack of public details about the vulnerability makes it difficult to determine the ease of exploitation.
Researchers at a security firm reported widespread exploit activity targeting the Cisco zero-day vulnerability. They believe the threat actor is indiscriminately exploiting every system they can find. The attackers appear to be exploiting everything first and then determining what is of interest.
Cisco has not yet released a patch for the zero-day threat, but has advised organizations with affected systems to disable the HTTPS Server feature on Internet-facing IOS XE devices. The company also noted that using access lists to control access to the HTTPS Server feature is an effective mitigation strategy. However, organizations must be cautious when implementing access controls due to the potential for disruption of production services.
Cisco, in an emailed statement, said it is working tirelessly to provide a software fix. Until then, customers should immediately implement the steps outlined in the security advisory. The company will provide an update on the status of their investigation through the security advisory.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Accelerate Security Teams
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.