Second Cisco IOS XE Zero Day Exploited in Wild – CVE-2023-20273
Share this:
A second IOS XE zero-day vulnerability in Cisco tracked as CVE-2023-20273, which is actively exploited in attacks in the wild. Earlier last week, customers of Cisco were warned about a zero-day vulnerability, tracked as CVE-2023-20198, in its IOS XE Software that is actively exploited in attacks.
Threat actors have exploited the recently disclosed critical zero-day vulnerability to compromise thousands of Cisco IOS XE devices. The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.
The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.
The flaw affects physical and virtual devices running with the Web User Interface feature enabled and that have the HTTP or HTTPS Server feature in use.
The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.
Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet. Meanwhile, security firms around the world have detected around 30K+ devices vulnerable.
Now, Cisco discovered a second actively exploited IOS XE zero-day vulnerability tracked as CVE-2023-20273.
While investigating attacks exploiting the flaw CVE-2023-20198, Cisco noticed attacks on systems patched against this issue, a circumstance that suggested that threat actors were exploiting a second zero-day flaw.
The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 commands to create a local user and password combination. This allowed the user to log in with normal user access.
The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.
- CVE-2023-20198 has been assigned a CVSS Score of 10.0.
- CVE-2023-20273 has been assigned a CVSS Score of 7.2.
Cisco has now addressed both zero-day vulnerabilities and also provided mitigations for them.
Threat actors are hiding their implants using various TTPs to escape from being caught. So even if you have disabled your WebUI, it is recommended to carry out an investigation to make sure that no malicious users have been added and that its configuration has not been altered
The US CISA has released guidance for addressing CVE-2023-20198 and CVE-2023-20273. It has also added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, instructing federal agencies to immediately address them.
NICE POST 💙