Cisco working on fix for critical IOS XE zero-day

Cisco said it is working on a fix for a critical, actively exploited vulnerability in its IOS XE software that the networking giant disclosed Monday.

CVE-2023-20198 is a flaw that affects all Cisco IOS XE Software instances with the web UI feature enabled, which is done via the ip http server or ip http secure-server commands. The zero-day vulnerability, Cisco said in a Monday advisory, enables "a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access." The threat actor can then use the new account to gain control over the target system.

The vendor said CVE-2023-20198 was under active exploitation and designated it with a CVSS severity score of 10 -- the highest possible.

Because no patch is currently available, Cisco "strongly recommends that customers disable the HTTP Server feature on all internet-facing systems." Instructions for doing so, as well as indicators of compromise and additional technical details, are available in the advisory. CISA likewise published an advisory Monday echoing Cisco's advice.

Cisco Talos published a blog post providing additional insights into the nature of threat activity surrounding the flaw. According to the blog post, Cisco Talos first discovered early signs of relevant malicious activity on Sept. 28, noting that said activity apparently started as early as Sept. 18. The firm then detected a second cluster of unusual activity on Oct. 12.

"We assess that these clusters of activity were likely carried out by the same actor," the blog read. "Both clusters appeared close together, with the October activity appearing to build off the September activity. The first cluster was possibly the actor's initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant."

In a statement shared with TechTarget Editorial, a Cisco spokesperson said the networking vendor is "committed to transparency."

"When critical security issues arise, we handle them as a matter of top priority, so our customers understand the issues and know how to address them," the statement read. "On October 16, Cisco published a security advisory disclosing a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory."

Late last month, Cisco disclosed a separate zero-day flaw -- CVE-2023-20109 -- affecting vulnerable versions of Cisco IOS XE software. This vulnerability, which exists in the software of Cisco's Group Encrypted Transport VPN, could similarly enable a threat actor to take over a target system if exploited.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.