Cisco comes with a warning to its customers about an IOS XE devices of a critical vulnerability that has no patch and is actively being exploited in the wild.
The vulnerability, tracked as CVE-2023-20198, with a CVSS score of 10 and is found in all Cisco IOS XE devices that have the Web UI feature enabled. The vulnerability affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.
The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which gives the attacker complete control of the affected system.
As per the statement from Cisco, the attackers were exploiting the vulnerability were first discovered on Sept. 28 when unusual behavior on a customer device was detected, although the first attack was since found to have occurred on Sept. 18. Cisco Talos Incident Response and Cisco’s Technical Assistance Center later detected an additional cluster of related activity on Oct. 12 when an unauthorized user was observed creating a local user account under the name “cisco_support” from a suspicious IP address.
The local user accounts that attackers can create via CVE-2023-20198 are persistent and give attackers continued administrator level access on affected systems even after a device restart. Cisco Talos researchers urged organizations to be on the lookout for new or unexplained users on IOS XE devices as potential evidence that attackers have exploited the flaw. They also provided a command that organizations can use to determine if the implant is present on any affected device.
Given that no patch, mitigation, or workaround is currently available to address the vulnerability, Cisco is advising all IOS XE device customers to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, customers should use the comments “no ip http server” or “no ip http secure-server” command in global configuration mode.
Indicators of Compromise