A critical flaw in Cisco IOS XE software appears to be facing mass exploitation, according to a Tuesday blog post from security vendor VulnCheck.
Cisco on Monday disclosed CVE-2023-20198, a zero-day vulnerability in its IOS XE software that the networking giant said was already under exploitation. The flaw affects all instances of the software with its web UI feature enabled. In its advisory, Cisco said the vulnerability could allow an unauthenticated attacker to remotely take over a target system.
"Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks," the advisory read. "This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system."
The attacker uses an implant containing a configuration file to accomplish this, according to a Cisco Talos blog published Monday.
No patch is currently available, and as such, Cisco urged customers to "disable the HTTP Server feature on all internet-facing systems." Instructions for doing so as well as indicators of compromise are available in the advisory.
In a Tuesday blog post, VulnCheck CTO Jacob Baines wrote that the security vendor performed a vulnerability scan and found thousands of compromised hosts in the wild. VulnCheck also released a scanner accompanying the blog post to detect the implant on customer instances.
"VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts," Baines said. "This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks."
Internet scan provider Netlas.io tweeted on Tuesday morning that it detected 80,714 instances likely vulnerable to CVE-2023-20198.
CVE-2023-20198: Privilege Escalation in Cisco WebUI, 10.0 rating— Netlas.io (@Netlas_io) October 17, 2023
The vulnerability allows a remote attacker to create an account on an affected system with high access.
Search at https://t.co/hv7QKSqxTR:
Link: https://t.co/9Q0Lns8Lm4#cybersecurity #vulnerability_map pic.twitter.com/2EwM6ntkep
Cisco provided a command to check for the malicious implant in physical and virtual devices. Cisco Talos researchers noted that the implants are not persistent and can be removed by rebooting the systems. However, they also warned that any new admin accounts created by the attacker will remain active even after a reboot, so organizations should look for any suspicious accounts created recently.
TechTarget Editorial asked a Cisco spokesperson Monday about the scope of exploitation activity in the wild. At the time, the spokesperson declined to answer. TechTarget Editorial contacted Cisco Tuesday morning for additional comment.
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.