Cisco’s recently disclosed Web UI-based critical zero-day has been confirmed to have more than 40,000 infected hosts, with over a fourth in the US alone.
Closely tracking Cisco’s Web UI privilege escalation vulnerability (dubbed CVE-2023-20198), cybersecurity research firm Censys revealed that the number of compromised devices went down slightly on October 19 following hefty jumps in the previous two days.
“In the past 24 hours since our last update on the ongoing compromises, there’s both promising and concerning news,” Censys said in a blog post. “While the initial surge of compromises appears to have diminished, we’re now grappling with a substantial number of compromised routers.”
On October 16, Cisco issued an advisory against a high severity (CVSS 10) vulnerability in the web interface feature on the devices running the IOS XE software. The bug allowed unauthenticated privilege escalation and had active exploitation in the wild.
The US and Philippines lead in affected hosts
Censys research found a total of 36,541 actively infected devices as of October 19, noting that about 5,400 devices were taken down (by taking them offline or deactivating UI features) within 24 hours.
The vulnerability impacted Cisco devices in several countries, including the US, Philippines, Mexico, Chile, and India. A total of 6,509 affected hosts were reported in the US on October 18, almost a 40% jump within 24 hours, with 4,659 devices reported the day before. The Philippines served a close second with 3,966 and 3,224 devices on the respective days.
Globe Telecoms Inc, Uninet, and CTC Corp S.A. Telefonica Empresas were the leading American and Philippine enterprises with more than 1,000 affected devices.
Cisco suffers a batch of critical bugs
Cisco has had a busy last two months with six high-to-critical level exploits found in its systems.
CVE-2023-20198, the bug that allows unauthenticated users to create an account on the affected system with “level 15” privileges, was itself discovered by the company while resolving TAC support cases because of an existing detection rule for an older vulnerability, CVE-2021-1435.
As per the Cisco advisory, there are no workarounds available for the vulnerability and the only recommendation the company provided is to disable the HTTP Server feature on all internet-facing systems.
As for indicators-of-compromise (IOC), the company has advised users to look for new or unknown usernames present in the configuration messages, generated each time the Web UI feature is accessed.
Cisco, on October 19, confirmed another high severity (CVSS 7.5) HTTP/2 Rapid Reset vulnerability, CVE-2023-44487, which was collectively reported last week by Google, Amazon AWS, and Cloudflare to have zero-day exploits. The vulnerability allows exploiting a weak HTTP/2 protocol to generate enormous Distributed Denial of Service (DDoS) attacks.