Cisco IOS XE Security Alert: Zero-Days Vulnerability Patched
Cisco has patched two vulnerabilities, tracked as CVE-2023-20198 and CVE-2023-20273 that hackers are actively exploiting to compromise thousands of devices. The patch has been made available after the attackers exploited these issues as zero-day attacks to gain full control over 50,000 Cisco IOS XE hosts.
Multiple Vulnerabilities in Cisco IOS XE
The initial breach involved the exploitation of CVE-2023-20198, providing the attacker with the means to establish initial access. Subsequently, they executed a “privilege 15 command” to create a local user and password combination, granting them access with standard user privileges.
Following this, the attacker harnessed another aspect of the web user interface (UI) functionality to further their intrusion, leveraging the newly created local user to elevate their privileges to root. This allowed them to write an implant to the file system. Cisco has designated this issue as CVE-2023-20273.
CVE-2023-20198 has been assigned a CVSS Score of 10.0, while CVE-2023-20273 has received a CVSS Score of 7.2.
Cisco issues a caution that both vulnerabilities can be exploited if the device’s web UI (HTTP Server) feature is enabled. This activation can be accomplished through the execution of commands such as “ip http server” or “ip http secure-server.”
Additionally, the network gear manufacturer reports that the malicious actor utilized the critical flaw to establish initial access to the device, subsequently executing a “privilege 15 command” to create a standard local account.
Conclusion
Cisco has issued a stark advisory about a severe, unpatched security vulnerability that is currently being actively exploited in the wild within the IOS XE software environment. This zero-day vulnerability, rooted in the web user interface (UI) functionality, is identified as CVE-2023-20198 and has been allocated the highest possible severity rating of 10.0 on the CVSS (Common Vulnerability Scoring System) scale.
It is essential to note that this vulnerability exclusively impacts enterprise networking equipment where the web UI feature is active and exposed to the internet or untrusted networks.
The sources for this article include a story from Bleeping Computer.