December 2, 2023

Cisco comes with a warning to its customers about an IOS XE devices of a critical vulnerability that has no patch and is actively being exploited in the wild.

The vulnerability, tracked as CVE-2023-20198, with a CVSS score of 10 and is found in all Cisco IOS XE devices that have the Web UI feature enabled. The vulnerability affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.

The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which gives the attacker complete control of the affected system.

As per the statement from Cisco, the attackers were exploiting the vulnerability were first discovered on Sept. 28 when unusual behavior on a customer device was detected, although the first attack was since found to have occurred on Sept. 18. Cisco Talos Incident Response and Cisco’s Technical Assistance Center later detected an additional cluster of related activity on Oct. 12 when an unauthorized user was observed creating a local user account under the name “cisco_support” from a suspicious IP address.

Advertisements

The local user accounts that attackers can create via CVE-2023-20198 are persistent and give attackers continued administrator level access on affected systems even after a device restart. Cisco Talos researchers urged organizations to be on the lookout for new or unexplained users on IOS XE devices as potential evidence that attackers have exploited the flaw. They also provided a command that organizations can use to determine if the implant is present on any affected device.

Given that no patch, mitigation, or workaround is currently available to address the vulnerability, Cisco is advising all IOS XE device customers to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, customers should use the comments “no ip http server” or “no ip http secure-server” command in global configuration mode.

Indicators of Compromise

  • 5.149.249[.]74
  • 154.53.56[.]231

Usernames:

  • cisco_tac_admin
  • cisco_support
Tags:

2 thoughts on “Cisco IOS Privilege Escalation Vulnerability – CVE-2023-20198

Leave a Reply

You may have missed

CISA KEV Update Part I – December 2023

December 1, 2023

Dollar Tree Affected by a Third Party Breach

December 1, 2023

Apple Patches iOS zerodays – CVE-2023-42916 and CVE-2023-42917

December 1, 2023

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023

BlueVoyant Acquires Conquest Cyber

November 30, 2023

Google Fixes Sixth Chrome ZeroDay of 2023

November 29, 2023
%d bloggers like this: