Over 50,000 Cisco XE devices have been compromised via a preciously unknown vulnerability.
Cisco discovered active exploitation of the new vulnerability, now tracked as CVE-2023-20198 in their IOS XE software’s Web UI.
Devices with exposed HTTP/HTTPS ports were affected.
Cisco researchers first identified suspicious activity on September 18th. This activity involved a new user account – “cisco_tac_admin” being created from a suspicious IP address, but there were no other observed associated actions at that time.
Cisco Talos then identified a new cluster of unauthorised activity events on October 12th. An intruder created a new account – “cisco_support” – again from a suspicious IP, however, unlike before, this involved activity also contained implant deployment (“cisco_service.conf”) for system-level commands.
Cisco has identified that the vulnerability, which has a maximum CVSS score of 10, grants a user full administrative access.
In the incident seen by Cisco, the attacker then exploited CVE-2023-20273 to achieve root-level control and plant an implant.
This secondary vulnerability has a CVSS score of 7.2.
Cisco has released an advisory in relation to the two CVEs, and the UKs NCSC has published guidance relating to the issues.
What is Cisco IOS XE?
The Cisco IOS XE network Operating System is the single OS for enterprise switching, routing, wired and wireless access.
It provides open, standards-based programmable interfaces to automate network operations and brings deepvisibility into users, applications and device behaviors.
