Cisco Provides Update on Investigation into Web UI Exploitation

CVE-2023-20198
10CRITICAL

Key Information

Vendor
Cisco
Status
Cisco IOS XE Software
Vendor
CVE Published:
16 October 2023

Badges

šŸ˜„ TrendedšŸ‘¾ Exploit ExistsšŸ”“ Public PoCšŸŸ” EPSS 86%šŸ“° News Worthy

Summary

A vulnerability in the web UI functionality of Cisco IOS XE (CVE-2023-20198) has been exploited by threat actors, allowing them to create high-privilege accounts and install an implant, ultimately enabling remote control of affected network devices. A second zero-day vulnerability (CVE-2023-20273) has also been leveraged to run the implant. Cisco has released fixes for CVE-2023-20198, but this does not address the second zero-day vulnerability. Following the public announcement of the attacks, the number of internet-facing Cisco devices with the implant installed decreased significantly, suggesting a cleanup effort. Organizations are advised to promptly apply the relevant patches, disable the HTTP Server feature, and conduct thorough investigations to ensure the security of their devices. In addition to the potential impacts of the vulnerability, the ongoing exploitation underscores the need for robust cybersecurity protocols and a proactive approach to vulnerability management.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-20198 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.

Affected Version(s)

Cisco IOS XE Software = 16.1.1

Cisco IOS XE Software = 16.1.2

Cisco IOS XE Software = 16.1.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cisco-ios-xe-implant-detection
Created by fox-it

CVE-2023-20198
Created by smokeintheshell

CVE-2023-20198-Checker
Created by ZephrFish

News Articles

favicon imagePalo Alto Networks

Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)

CVE-2023-20198 impacts Cisco IOS XE devices and allows attackers full admin access. Our overview includes attack surface telemetry of potential impact.

3 months ago

favicon imageButtondown

Cybersecurity Newsletter 29th April 2024

Cybersecurity Newsletter 29th April 2024 In this weekā€™s news: UNICEF breached, Post Office phishing site gets more traffic than real one, Venture Capitalists...

5 months ago

favicon imageThe Record from Recorded Future News

Norway issues warning after ā€˜important businessesā€™ affected by Cisco zero-days

The chief of Norway's NSM agency said the pair of zero-day vulnerabilities affecting Cisco IOS XE had created a "very serious" situation for some organizations.

5 months ago

EPSS Score

86% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability started trending.

  • First article discovered by BleepingComputer

  • šŸ‘¾

    Exploit exists.

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre DatabaseCISA Database18 Proof of Concept(s)15 News Article(s)
.