Security News > 2023 > October > Cisco IOS XE zero-day exploited by attackers to deliver implant (CVE-2023-20198)
A previously unknown vulnerability affecting networking devices running Cisco IOS XE software is being exploited by a threat actor to take control of the devices and install an implant, Cisco Talos researchers have warned today.
CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software, which is installed on various Cisco controllers, switches, edge, branch and virtual routers.
The flaw affects both physical and virtual devices running Cisco IOS XE software, and is exploitable only if the web UI is enabled.
In multiple attacks analyzed by Cisco's threat analysts, the threat actor exploited CVE-2023-20198 to create a local user account and exploited an old command injection flaw in the web UI to install the implant.
"The configuration file defines the new web server endpoint used to interact with the implant. That endpoint receives certain parameters that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed," Cisco's researchers explained.
Cisco is working on a patch for CVE-2023-20198, but in the meantime they advise admins to disable the HTTP Server feature on all internet-facing systems running Cisco IOS XE software.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-16 | CVE-2023-20198 | Unspecified vulnerability in Cisco IOS XE Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. | 10.0 |