In a startling revelation, Cisco has exposed the presence of two dangerous zero-day vulnerabilities in its IOS XE software – CVE-2023-20198 and CVE-2023-20273. These vulnerabilities have been actively exploited by hackers, allowing them to deploy malicious implants on compromised devices. The CVE-2023-20198 authentication bypass zero-day, disclosed earlier this week, enabled unauthenticated attackers to infiltrate IOS XE devices since September 18, creating unauthorized administrative accounts. Subsequently, the CVE-2023-20273 privilege escalation zero-day was employed to gain root access, granting the hackers complete control over the devices. This control facilitated the execution of arbitrary commands within the system.
Cisco has swiftly developed fixes for both vulnerabilities and plans to release them via the Cisco Software Download Center starting October 22. The company, however, clarified that a previously mentioned CVE-2021-1435 is not related to these recent activities.
Worryingly, over 40,000 Cisco devices utilizing the vulnerable IOS XE software have already fallen victim to these attacks. Initially estimated at 10,000 devices, this number escalated to 34,500 in just a day, according to reports from VulnCheck and Orange Cyberdefense CERT. Cisco IOS XE devices, including enterprise switches, access points, wireless controllers, as well as industrial, aggregation, and branch routers, are at risk. Disturbingly, Shodan search results reveal that more than 146,000 vulnerable systems are currently exposed to potential attacks.
While waiting for the official patches, Cisco has issued urgent guidelines to administrators. One immediate measure includes disabling the vulnerable HTTP server feature on all internet-facing systems, which can prevent incoming attacks. Cisco strongly emphasized the importance of these actions, providing detailed instructions in their updated security advisory and Talos blog.
Moreover, administrators are urged to remain vigilant and look out for any suspicious or newly created user accounts, which could be indicative of malicious activity related to these ongoing attacks. Cisco’s proactive disclosure aims to empower users with the knowledge and tools needed to safeguard their systems, emphasizing the critical importance of immediate action in the face of this escalating threat.