Pierluigi Paganini October 20, 2023

More than 40,000 Cisco IOS XE devices have been compromised in attacks exploiting recently disclosed critical vulnerability CVE-2023-20198.

Researchers from LeakIX used the indicators of compromise (IOCs) released by Cisco Talos and found around 30k Cisco IOS XE devices (routers, switches, VPNs) that were infected by exploiting the CVE-2023-20198. Most of the infected devices were in the United States, the Philippines, Chile, and Mexico.

CERT Orange also found a similar number of compromised Cisco IOS XE devices (over 34.5K) using the same IoCs.

“On October 19th, the number of compromised Cisco devices has ebbed to 36,541, over 5,000 less than 24 hours ago.” reads a post published by Censys. “On October 18th, we have seen an increase in the number of infections from 34,140 to 41,983 hosts.”

Cisco this week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.

Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warned.

The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.” reads the advisory published by the company. “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.”

The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.

The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.

Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet.

“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.” concludes the advisory that also includes Indicators of Compromise (IoCs).”After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload.”

VulnCheck researchers observed that the vulnerability was exploited in a large-scale hacking campaign targeting Cisco IOS XE routers and switches. The security firm developed and released a scanner used to find systems infected with implants that are exposed on the internet.

“Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.” reads the post published by VulnCheck. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”

The researchers urge organizations to use an IOS XE system to determine if their systems have been compromised.

Cybersecurity firm GreyNoise also identified malicious activity related to the exploitation of the above issue.

Additional details on ongoing attacks are reported in the Cisco Talos’s advisory which is costantly updated by the company.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco IOS XE)