The vulnerability is an unspecified issue in the web user interface. An attacker can chain this flaw with CVE-2023-20198 to leverage the new local user to elevate privilege to root and write the implant to the file system.
Cisco last week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases. The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.
While investigating attacks exploiting the flaw CVE-2023-20198, Cisco noticed attacks on systems patched against this issue, a circumstance that suggested that threat actors were exploiting a second zero-day flaw.
“Our investigation has determined that the actors exploited two previously unknown issues.” reads the advisory published by the company. “The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.
The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.
The IT giant has now addressed both zero-day vulnerabilities and also provided mitigations for them.
The US CISA has released guidance for addressing CVE-2023-20198 and CVE-2023-20273 vulnerabilities.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by October 27, 2023.
(SecurityAffairs – hacking, CISA)