CVE-2023-20198 Zero-Day Vulnerability on Cisco IOS XE Systems
CVE-2023-20198 is a critical vulnerability that affects the web UI feature of Cisco IOS XE Software. It allows a remote, unauthenticated attacker to create an account with the highest privilege level. This vulnerability has been actively exploited in the wild and has received a CVSS score of 10.0.
There is no software patch available yet. Cisco will update the advisory when a patch is released.
As mentioned before, the vulnerability affects enterprise networking gear that have the web UI feature of Cisco IOS XE Software enabled. According to Cisco’s security advisory regarding the vulnerability, it allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. Using this account, the attacker can then have full control of the system.
Privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks, according to security researcher Jacob Baines. This vulnerability has been exploited by threat actors who have compromised over 10,000 devices worldwide.
Some of the affected products are both physical and virtual devices running Cisco IOS XE software, like Cisco controllers, switches, edge, branch and virtual routers and they have the HTTP or HTTPS server feature enabled.
This vulnerability is also in CISA’s Known Exploited Vulnerabilities Catalog and requires immediate action from the system administrators. CISA also advises to follow vendor instructions to determine if a system may have been compromised and report positive findings to CISA.
There is no software patch available yet. When there is one, all the companies that have the Cisco IOS XE Software must update it and apply any patches.
Until then, the following measures should be followed:
- Disable the HTTP or HTTPS Server feature on all internet-facing systems.
- Apply access control lists to restrict access to the web UI from trusted hosts only.
- Monitor the system logs for any suspicious activity, such as failed login attempts, unauthorized commands, or unusual network traffic.