Cisco warns of a second IOS XE zero-day used to infect devices worldwide

Pierluigi Paganini October 23, 2023

Cisco found a second IOS XE zero-day vulnerability, tracked as CVE-2023-20273, which is actively exploited in attacks in the wild.

Cisco last week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.

Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warned.

The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.” reads the advisory published by the company. “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.”

The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.

The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.

Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet.

Researchers from LeakIX used the indicators of compromise (IOCs) released by Cisco Talos and found around 30k Cisco IOS XE devices (routers, switches, VPNs) that were infected by exploiting the CVE-2023-20198. Most of the infected devices were in the United States, the Philippines, Chile, and Mexico.

CERT Orange also found a similar number of compromised Cisco IOS XE devices (over 34.5K) using the same IoCs.

Cisco new discovered a second actively exploited IOS XE zero-day vulnerability tracked as CVE-2023-20273.

While investigating attacks exploiting the flaw CVE-2023-20198, Cisco noticed attacks on systems patched against this issue, a circumstance that suggested that threat actors were exploiting a second zero-day flaw.

“Our investigation has determined that the actors exploited two previously unknown issues.” reads the advisory published by the company. “The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.

The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.

  • CVE-2023-20198 has been assigned a CVSS Score of 10.0.
  • CVE-2023-20273 has been assigned a CVSS Score of 7.2.”

The IT giant has now addressed both zero-day vulnerabilities and also provided mitigations for them.

Cisco IOS XE Software Release TrainFirst Fixed ReleaseAvailable
16.12 (Catalyst 3650 and 3850 only)16.12.10aTBD

Cyber security firms observed a rapid drop in the number of infected devices, but the root cause was the attempt of the attackers to hide their infection as reported by Shadowserver Foundation.

“Please note that a potential trace cleaning step is underway to hide the implant (following exploitation of #CVE-2023-20198)” reported CERT Orange Cyberdefense. “Even if you have disabled your WebUI, we recommend that you carry out an investigation to make sure that no malicious users has been added and that its configuration has not been altered”

At the time of this publishing, it is still unclear who is behind these attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO IOS XE)

you might also like

leave a comment