Cisco’s Talos security team has warned that IOS XE software running on many of its late-model devices has a critical zero-day vulnerability that has already led to exploits in the wild, with attackers apparently able to take full control of affected networking products, including routers.
The Talos team, in a blog published on Monday, said that the vulnerability — being tracked as CVE-2023-20198 — was found in the web UI feature of the IOS XE software, meaning that it can be used to attack any devices that are running HTTP or HTTPS Server functionality. The issue was first noticed in late September, but the full details did not become apparent to Cisco until October 12, when a suspicious IP address was used to create a local user account on a client device without authorization.
Exploitation of the flaw, which the company said can allow remote users to create fully functional admin accounts and do largely whatever they want with them, depends on an “implant” of a configuration file, which requires a web server restart to become active. That implant was delivered both using a second, known vulnerability, as well as “an as of yet undetermined mechanism,” Talos said in its blog post.
A patch for this serious security flaw is not yet available, but Cisco strongly recommended that users of potential vulnerable devices disable the HTTP/S server features on any of its devices that connect to the internet or other untrusted networks. A threat advisory details steps for users who need to check whether their Cisco devices are running HTTP/S server, as well as a command-line method of checking for the presence of the malicious implant.
“We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation,” Cisco’s threat advisory noted.
The identity of the party or parties that have been seen to exploit this vulnerability is unknown, but the possibilities for what such bad actors could do with compromised networking gear are wide-ranging, according to IDC research director Michelle Abraham.
“The threat actor may use the router in a DDoS attack, they could also use it to intercept network traffic or alter the traffic,” she said. “It is also possible to add malicious firmware to the router that provides persistent backdoor access.”