On Monday, October 16, Cisco’s Talos group published a blog on an active threat campaign exploiting CVE-2023-20198, a “previously unknown” zero-day vulnerability in the web UI component of Cisco IOS XE software. IOS XE is an operating system that runs on a wide range of Cisco networking devices, including routers, switches, wireless controllers, access points, and more. Successful exploitation of CVE-2023-20198 allows a remote, unauthenticated attacker to create an account on an affected device and use that account to obtain full administrator privileges, effectively enabling a complete takeover of the system.
There is no patch for CVE-2023-20198 as of October 17, 2023. As Cisco Talos noted in their blog, it is being actively exploited in the wild. There appear to be a significant number of devices running IOS XE on the public internet as of October 17. Estimates of internet-exposed devices running IOS XE vary, but the attack surface area does appear to be relatively large; one estimate puts the exposed device population at 140K+.
In the activity Cisco observed, attackers created (malicious) local user accounts from suspicious IP addresses. Additional activity has included deployment of an implant that allows the attacker to execute arbitrary commands at the system level or IOS level. Cisco has an extensive description of the malicious behavior they’ve observed here.
Affected products
Cisco’s public advisory on CVE-2023-20198 merely says that Cisco IOS XE software is vulnerable if the web UI feature ..
Support the originator by clicking the read the rest link below.
