Cisco Router Vulnerability Actively Targeted for Unauthorised Access

    Cisco users have been alerted to a significant zero-day flaw in the company’s IOS XE software, which cybercriminals have already exploited to gain control of devices. The vulnerability, CVE-2023-20198, has received a maximum severity rating of 10 from Cisco, and a patch is still pending.

    In a recent security advisory, Cisco stated, “There’s evidence of active exploitation of a previously unidentified vulnerability in Cisco IOS XE Software’s web UI feature when it’s connected to the internet or untrusted networks.” This flaw allows a remote attacker without authentication to establish an account on the compromised system with the highest privilege level of 15, subsequently using this account to seize control of the system.

    Cisco has confirmed that the vulnerability impacts both physical and virtual devices that run the IOS XE software and have the HTTP or HTTPS Server feature activated. However, the company hasn’t yet provided a comprehensive list of vulnerable devices. Qualys Threat Research’s Mayuresh Dani informed The Register, “Any switch, router, or WLC with IOS XE and an internet-exposed web UI is at risk.” Based on data from Shodan, approximately 40,000 devices have their web UI exposed online, with a significant portion using port 80.

    Given the absence of a patch or workaround, Cisco strongly advises users to deactivate this feature on all systems exposed to the internet. This aligns with guidance from the USA’s Cybersecurity and Infrastructure Security Agency on reducing risks from internet-exposed management interfaces. To turn off the HTTP Server feature, Cisco suggests executing specific commands in global configuration mode.

    Although a Cisco representative declined to provide figures on the number of affected customers or specify the origin of the attacks, they emphasised the company’s dedication to delivering a software solution. They urged users to adhere to the security advisory’s recommendations.

    Cisco’s Talos team, responsible for threat intelligence and incident response, shared additional insights in a separate blog post. They detailed how the malicious activity was detected and outlined the code used by intruders to gain lasting access. Notably, in some instances, the attackers utilised a vulnerability, CVE-2021-1435, which had been patched by Cisco two years earlier.

    Talos believes the same group is behind both the incidents in September and October. The team suggests that the earlier attack might have been a test, while the later one seemed to focus on gaining persistent access through the deployment of an implant.

    It’s worth noting that this advisory follows a warning from Cisco last month about another bug being exploited in its IOS and IOS XE software, CVE-2023-20109. Cisco clarified that these two issues are unrelated. Furthermore, warnings were issued by the US and Japan last month about Chinese government spies targeting Cisco routers for data theft.

    While the culprit behind the CVE-2023-20198 exploits remains uncertain, John Gallagher from IoT security firm Viakoo Labs commented to The Register on the potential broad range of suspects. Gallagher speculated that a cyber-criminal organisation might be positioning itself to sell access or control across networks, and any public instances of the vulnerability being exploited could be perceived as a form of advertisement for such a criminal group.

    Latest articles

    Related articles