The vulnerability, rooted in the web UI feature, affects Cisco IOS XE software with enabled HTTP or HTTPS server features. Attackers exploit this flaw to create unauthorized accounts with privilege level 15 access, granting them complete control over the compromised system. Cisco has assigned the maximum severity rating of 10.0 to this vulnerability, emphasizing its critical nature.
Cisco detected the malicious activity in September 2023 when unauthorized users created suspicious local accounts named "cisco_tac_admin" and "cisco_support." These activities escalated, leading to the deployment of a Lua-based implant that enables attackers to execute arbitrary commands. Despite the implant not being persistent across reboots, the unauthorized accounts created by the attackers remain active, raising concerns about long-term compromises.
Reports indicate that over 10,000 Cisco IOS XE devices have already been compromised, with attackers leveraging this vulnerability to infiltrate various devices, including switches, routers, access points, and wireless controllers. VulnCheck, a threat intelligence company, discovered these infected hosts, highlighting the situation's urgency.
The exploitation of CVE-2023-20198 allows attackers to potentially monitor network traffic, pivot into protected networks, and execute man-in-the-middle attacks. As a temporary mitigation measure, Cisco has urged administrators to disable the vulnerable HTTP server feature on all internet-facing systems. However, a patch to address this vulnerability is still pending. Please read about how to find and mitigate this vulnerability in our knowledge base.
Cisco recommends that administrators remain vigilant, checking for any signs of suspicious or recently created user accounts as potential indicators of malicious activity related to this threat. The situation continues to evolve, and organizations using Cisco IOS XE systems must take immediate action to assess their systems for compromises and implement appropriate security measures.
The active exploitation of the unpatched Cisco zero-day vulnerability poses a severe threat to organizations worldwide. With thousands of devices already compromised, the situation demands immediate attention and decisive action. Administrators must prioritize disabling vulnerable features, monitor for unauthorized accounts, and stay updated with Cisco's security advisories. As the cyber security landscape evolves, staying proactive and informed is crucial to safeguarding digital infrastructures against emerging threats.
Cisco has recently disclosed a critical zero-day flaw, CVE-2023-20273, which is being actively exploited to deploy a malicious Lua-based implant in conjunction with the previously identified CVE-2023-20198.
CVE-2023-20273, with a CVSS score of 7.2, exploits a privilege escalation flaw within the web UI feature of Cisco's IOS XE software. Cybercriminals utilize this flaw after gaining initial access through CVE-2023-20198. By leveraging CVE-2023-20273, threat actors elevate their privileges to root, allowing them to deploy malicious implants on compromised devices. This gives them unrestricted access to execute arbitrary commands at the system level, posing a severe threat to network integrity.
CVE-2023-20273 is intricately linked with CVE-2023-20198, an authentication bypass zero-day. Initially exploited by unauthorized attackers on 18 September, CVE-2023-20198 enabled the creation of unauthorized user accounts, providing the foundation for the subsequent privilege escalation attack using CVE-2023-20273. Together, these vulnerabilities form a potent exploit chain, allowing attackers to extensively compromise Cisco IOS XE devices.
The consequences of these vulnerabilities are dire. Over 40,000 Cisco devices, including switches, routers, access points, and wireless controllers, have fallen victim to these exploits. The affected devices are distributed across various sectors, impacting enterprises and individuals. Furthermore, Shodan searches reveal that a staggering 146,000 vulnerable systems are exposed to potential attacks, underscoring the widespread nature of this threat.
Cisco has identified fixes for CVE-2023-20198 and CVE-2023-20273, slated for release via the Cisco Software Download Center, starting 22 October. While awaiting official patches, administrators are urged to disable the vulnerable HTTP server feature on all internet-facing systems. This proactive step can block incoming attacks, safeguarding devices from potential compromise. Please read about how to find and mitigate these vulnerability in our knowledge base.
Read more in the official Cisco advisory.