Cisco Provides Update on Investigation into Web UI Exploitation
Key Information
- Vendor
- Cisco
- Status
- Cisco IOS XE Software
- Vendor
- CVE Published:
- 16 October 2023
Badges
Summary
A vulnerability in the web UI functionality of Cisco IOS XE (CVE-2023-20198) has been exploited by threat actors, allowing them to create high-privilege accounts and install an implant, ultimately enabling remote control of affected network devices. A second zero-day vulnerability (CVE-2023-20273) has also been leveraged to run the implant. Cisco has released fixes for CVE-2023-20198, but this does not address the second zero-day vulnerability. Following the public announcement of the attacks, the number of internet-facing Cisco devices with the implant installed decreased significantly, suggesting a cleanup effort. Organizations are advised to promptly apply the relevant patches, disable the HTTP Server feature, and conduct thorough investigations to ensure the security of their devices. In addition to the potential impacts of the vulnerability, the ongoing exploitation underscores the need for robust cybersecurity protocols and a proactive approach to vulnerability management.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-20198 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.
Affected Version(s)
Cisco IOS XE Software = 16.1.1
Cisco IOS XE Software = 16.1.2
Cisco IOS XE Software = 16.1.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
CVE-2023-20198 impacts Cisco IOS XE devices and allows attackers full admin access. Our overview includes attack surface telemetry of potential impact.
3 months ago
Cybersecurity Newsletter 29th April 2024
Cybersecurity Newsletter 29th April 2024 In this weekās news: UNICEF breached, Post Office phishing site gets more traffic than real one, Venture Capitalists...
5 months ago
Norway issues warning after āimportant businessesā affected by Cisco zero-days
The chief of Norway's NSM agency said the pair of zero-day vulnerabilities affecting Cisco IOS XE had created a "very serious" situation for some organizations.
5 months ago
EPSS Score
86% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability started trending.
First article discovered by BleepingComputer
- š¾
Exploit exists.
Vulnerability published.
Vulnerability Reserved.