Cisco has issued an urgent warning regarding a severe zero-day vulnerability in its IOS XE software, which is currently being exploited by an unknown actor to introduce a malicious Lua-based implant on affected devices. The vulnerability, designated as CVE-2023-20273, carries a CVSS score of 7.2 and is associated with privilege escalation through the web UI feature. This flaw has reportedly been used in conjunction with another severe vulnerability, CVE-2023-20198, which holds a CVSS score of 10.0, as part of a coordinated exploitation strategy.
In an advisory released on Friday, Cisco outlined how the attack unfolds: the adversary first leverages CVE-2023-20198 to gain initial access, ultimately executing privileged commands to create a local user account. This compromised access allows attackers to log in with normal user privileges, paving the way for further exploitation.
The subsequent step involves utilizing the newly created local user account to escalate privileges to root level within the web UI, thereby uploading the malicious implant to the system’s file system. This privilege escalation vulnerability is specifically tracked under CVE-2023-20273. Cisco has indicated that a remedial patch addressing both vulnerabilities will be made available to customers beginning October 22, 2023, recommending immediate disabling of the HTTP server feature in the interim.
Previously, Cisco had identified a different vulnerability, CVE-2021-1435, which had been exploited to install a backdoor. However, investigations into the ongoing exploits have revealed that this older vulnerability is no longer tied to the recent activities given the emergence of the new zero-day flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted the serious implications of these newly discovered vulnerabilities, stating that an unauthenticated remote attacker could gain full control over an affected system. This includes the ability to create privileged accounts, which grants comprehensive access to all device functionalities.
Successful exploitation of these vulnerabilities could enable attackers to establish unfettered remote access to routers and switches, allowing them to monitor and manipulate network traffic and potentially leverage compromised systems as persistent footholds within organizational networks. Recent data indicates that over 41,000 Cisco devices with the vulnerable IOS XE software have been compromised by threat actors exploiting these flaws, as reported by Censys and LeakIX. By October 19, the number of compromised devices had stabilized at 36,541, primarily affecting smaller entities rather than large corporations.
As part of the ongoing analysis of these incidents, it is critical to consider the techniques used according to the MITRE ATT&CK framework. Initial access tactics likely include exploiting vulnerabilities for entry, followed by privilege escalation tactics to gain root access. Persistence techniques may also have been utilized, as attackers can establish a resilient presence on compromised systems.
Cisco has since announced the release of software updates to rectify the two vulnerabilities for IOS XE software version 17.9, with fixes for versions 17.6, 17.3, and 16.12 expected shortly. Detailed release information can be found on Cisco’s official website.
