Cisco Systems has recently disclosed a severe, unpatched vulnerability affecting its IOS XE software, which is currently under active exploitation by threat actors. The zero-day flaw, identified as CVE-2023-20198, holds a critical severity rating of 10.0 on the Common Vulnerability Scoring System (CVSS).
This vulnerability specifically impacts enterprise networking hardware with the web UI feature enabled, particularly when accessible over the internet or untrusted networks. According to Cisco, the flaw allows a remote, unauthenticated attacker to create a local user account with privileged access, designated as level 15. This access can subsequently grant the attacker full control over the affected system.
The security gap affects both physical and virtual systems using Cisco IOS XE software that also have HTTP or HTTPS services enabled. To mitigate risks, Cisco advises disabling the HTTP server on any systems exposed to the internet.
The impetus for Cisco’s warning stemmed from detected malicious activity on an unnamed customer device beginning September 18, 2023. Reports indicate that an authorized user account, “cisco_tac_admin,” was created from a suspicious IP address. Following this, on October 12, 2023, another unauthorized account, “cisco_support,” was created from a different IP, marking an escalation in the attack.
Investigations revealed subsequent actions led to the deployment of a Lua-based implant, which provides the intruder with capabilities to execute arbitrary commands at both the system level and within IOS environments. This exploit leverages a previously patched vulnerability, CVE-2021-1435, alongside potentially other undisclosed methods, particularly in instances where the systems were updated against this flaw.
Cisco noted that for the implant to activate, the web server must be restarted; however, in at least one recorded instance, the server was not rebooted, resulting in the implant remaining inactive despite its installation. Notably, the implant is not persistent; it does not survive device reboots, yet the rogue accounts established by attackers remain operational.
The investigative team at Cisco suspects these two clusters of activities stem from the same threat actor, although the origins of this adversary remain unclear. This malicious activity led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a formal advisory and include the flaw in the Known Exploited Vulnerabilities (KEV) catalog.
The nature of these attacks is concerning, as they enable adversaries to potentially compromise network traffic, gain unauthorized access to sensitive networks, and execute man-in-the-middle attacks. Analysis from threat management firms indicates thousands of Cisco IOS XE devices may already be compromised, with significant concentrations of infections detected primarily in the United States and various countries worldwide.
Cisco remains committed to transparency and is prioritizing the resolution of this critical issue. The company has published a security advisory outlining the vulnerability and continues to work on a software patch. Business owners relying on Cisco’s equipment should take immediate action as advised, due to the heightened risks associated with this newly identified threat.
For more information, Cisco has directed users to review its updated security advisory and accompanying resources for guidance on securing their devices in light of this vulnerability.
