Pierluigi Paganini October 20, 2023

US CISA added the vulnerability CVE-2021-1435 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2021-1435 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog.

The vulnerability is a command injection vulnerability in the web user interface that could allow a remote, authenticated attacker to inject commands that can be executed as the root user.

Cisco Talos researchers warned of active exploitation of this vulnerability to infect the devices.

“Leveraging existing detections, we observed the actor exploiting CVE-2021-1435, for which Cisco provided a patch in 2021, to install the implant after gaining access to the device.” reads the report published by Cisco Talos. “We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by November 9, 2023.

Recently another Cisco IOS XE vulnerability, tracked as CVE-2023-20198, made the headlines.

Cisco this week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.

Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warned.

The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.

Researchers from LeakIX used the indicators of compromise (IOCs) released by Cisco Talos and found around 30k Cisco IOS XE devices (routers, switches, VPNs) that were infected by exploiting the CVE-2023-20198. Most of the infected devices were in the United States, the Philippines, Chile, and Mexico.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)