Cisco warns of actively exploited zero-day in IOS XE software

No patch yet so disable web UI on affected devices

Cisco warns of actively exploited zero-day in IOS XE software

Image:
Cisco warns of actively exploited zero-day in IOS XE software

Cisco has disclosed a critical zero-day vulnerability in its IOS XE software that is being actively exploited in the wild.

IOS XE is the operating system that runs on various Cisco networking devices and platforms, and providing core networking functionality such as routing, switching, security and wireless access.

The vulnerability, tracked as CVE-2023-20198 and accorded a maximum CVSS score of 10.0, exists in the web UI feature of IOS XE, and could allow an unauthenticated remote attacker to create a privileged account on affected devices.

According to a Cisco advisory, the web UI is enabled by default in IOS XE and provides a graphical interface for configuring and managing devices. However, exposed to the internet or untrusted networks, it provides an attack vector for threat actors.

The flaw allows an attacker to create an account with level 15 (root) privileges, giving them full control of the device.

Indicators of compromise include suspicious log entries and commands to check for the presence of an implant, according to Cisco.

Cisco Talos researchers have also released rules for intrusion detection software Snort allowing it to detect attacks targeting this vulnerability.

The company said the flaw was discovered during the investigation of multiple customer support cases and that active exploitation has been observed in the wild.

The exploitability of the flaw and the number of devices potentially vulnerable make this a serious bug, said Mayuresh Dani, manager of threat research at Qualys. He used the specialised search engine Shodan to estimate the number of devices at risk.

"Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable," he said.

"Based on my searches using Shodan, there are about 40,000 Cisco devices that have web UI exposed to the internet. A majority of those are listening on port 80."

To mitigate the vulnerability, Cisco strongly recommends disabling the HTTP server feature completely on internet-facing devices. In its advisory, the company provides additional recommendations based on specific deployment scenarios.

Patches are not yet available and there are no workarounds, but Cisco says it is working on a fix and will notify users when one is ready.

Until then, rapid detection and preventing external access to the web UI are critical to avoid compromise.