Cisco has alerted administrators about a severe authentication bypass zero-day vulnerability in its IOS XE software. This flaw, labeled as CVE-2023-20198 and pending a patch, allows unauthenticated attackers to gain full admin rights and remotely control vulnerable routers and switches.
The vulnerability impacts devices that have both the Web User Interface (Web UI) feature and the HTTP or HTTPS Server feature activated. Cisco mentioned, “When exposed to the internet or untrusted networks, there’s an exploitable vulnerability in the Web UI feature of Cisco IOS XE software (CVE-2023-20198).”
A successful exploit would let an attacker establish an account with top-tier privilege level 15 access, giving them full command of the affected device, possibly leading to more unauthorized actions.
Cisco’s Technical Assistance Center (TAC) first spotted the breach on September 28 after observing unusual actions on a client’s device. Further investigations revealed related malicious activities since September 18, where an authorized user set up a local account named “cisco_tac_admin” from a dubious IP (5.149.249[.]74).
On October 12, Cisco identified another suspicious activity tied to CVE-2023-20198. This time, a “cisco_support” local user account was initiated from a different questionable IP (154.53.56[.]231). Attackers also used the CVE-2021-1435 vulnerability and other undisclosed methods to run random commands on the system.
Cisco believes the same entity executed both sets of actions, stating, “The initial breach in September might have been the attackers testing their methods, while the October incident shows them widening their scope, possibly trying to maintain persistent access.”
To counteract potential breaches, Cisco advises administrators to deactivate the HTTP server feature on devices exposed to the internet. The company elaborated on the steps for this and also emphasized checking for unexplained or new user accounts as a sign of malicious activities.
Cisco’s Director for Security Communications, Meredith Corley, informed BleepingComputer, “We’re diligently working on a software remedy and we strongly advise customers to implement the guidelines in our security advisory.”
It’s noteworthy that just last month, Cisco warned its users to fix another zero-day vulnerability (CVE-2023-20109) that was actively exploited by attackers.