Threat Intelligence: Cisco IOS XE Zero Day Vulnerability
Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:
A zero-day privilege escalation vulnerability in Cisco IOS XE software has been discovered, allowing a threat actor to create a user account with full administrative privileges if exploited successfully.
Read more about the CVE detail here: CVE-2023-20198
The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 10
Cisco IOS XE is the operating system used in their next generation enterprise hardware. Any devices with the web user interface feature enabled are affected by this vulnerability, which currently has no patch or other workaround.
This is delivered with the default image and is enabled through the “ip http server” or “ip http secure-server” commands.
This security flaw could allow a remote, unauthenticated threat actor to create an account with privilege level 15 access on a vulnerable system.
This is currently being exploited in the wild by an unknown threat actor, sometimes by using another older flaw (CVE-2021-1435, a medium severity command injection vulnerability) to drop a Lua-language implant allowing for an attacker to execute commands on vulnerable systems.
Cisco Talos researchers have announced that even devices which are fully patched against this older vulnerability are being attacked successfully through an unknown delivery mechanism.
Cisco recommends triaging this vulnerability with the following steps:
- Are you running IOS XE? If not, then the system is not vulnerable.
- Is “ip http server” or “ip http secure-server” configured? If not, then the vulnerability is not exploitable.
- Do you run services that require HTTP/HTTPS communication (for example, eWLC)? If not, disable the HTTP server feature. If yes, restrict access to trusted networks.
- After implementing any changes, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.
There is currently no patch or other workaround for this vulnerability. If you need any further guidance on this, please contact DigitalXRAID’s Security Operations Centre analysts. We’re here to support you.
If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.
If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact.