Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild

The Zero-Day Revelation

On October 16, Cisco’s Talos issued a stern warning about a zero-day vulnerability lurking in the Web User Interface (Web UI) feature of Cisco IOS XE. This vulnerability had already been exploited by malicious actors.

Uncovering the Threat

The alert came after a support case investigation on September 28 revealed the creation of a suspicious user account on September 18. Further investigation on October 12 showed the creation of a user account and the uploading of a configuration file to maintain persistent access. This paints a disturbing picture of the breach’s depth.

- Advertisement -

Analysis of CVE-2023-20198

This privilege escalation vulnerability, known as CVE-2023-20198, has earned the highest CVSS score of 10. Its successful exploitation can result in the creation of a user account with full administrative privileges, giving attackers full control. But where does this vulnerability hide?

The Unexpected Twist

Malicious actors weren’t content with just CVE-2023-20198. They also leveraged CVE-2021-1435, an older vulnerability, to install an implant. This vulnerability allowed them to execute arbitrary code as the root user. What’s surprising is that even fully patched devices were not safe. How did the attackers manage this?

In-Depth Analysis

CVE-2023-20198 is the second zero-day discovered this month in Cisco IOS XE. An earlier vulnerability, CVE-2023-20109, posed a different threat.

For a comprehensive understanding of the observed implant, Cisco Talos has released an illuminating blog post. For those seeking more details about the compromised devices, this is a valuable resource.

As of October 16, no proof-of-concept code for CVE-2023-20198 has been made public.

The Path to Security

In the absence of patches, Cisco recommends disabling the HTTP Server feature on internet-facing Cisco IOS XE systems. Learn how to disable the feature and prevent reactivation after system reload in the official advisory.

Both Cisco Talos’ blog and the Cisco security advisory offer indicators of compromise to aid in incident response investigations.

TheCISO

Website | + posts

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild

The Zero-Day Revelation

Uncovering the Threat

Analysis of CVE-2023-20198

The Unexpected Twist

In-Depth Analysis

The Path to Security

TheCISO

Also Read

Five Penetration Testing Frameworks and Methodologies

Defense in Depth – The Layered Approach to Cybersecurity

How to Become a Cybersecurity Expert

How to be Anonymous Online

A List of Tools to Help you Detect the Log4j Vulnerability

Cybersecurity Analyst Interview Questions

The Internet of Medical Things and Cybersecurity Risk

Find Information About a Person on Instagram with OSINTgram

NIST Publications on Penetration Testing

Penetration Testing: Pre-Engagement Interactions

Menu

Popular Categories