On Monday, 16 October, Cisco reported a critical zero-day vulnerability in the web UI feature of its IOS XE software actively being exploited by threat actors to install Remote Access Tools (RATs) and backdoor vulnerable devices exposed on the internet. The vulnerability, identified as CVE-2023-20198, enables an attacker without authentication to create a highly privileged account on the affected network device in order to gain full control and execute arbitrary commands. The Cisco IOS XE software is utilized on several of Cisco’s widely used enterprise networking devices – switches, routers, etc.
On Tuesday, 17 October, Researchers at VulnCheck performed an internet scan and identified 10,000+ compromised Cisco IOS XE systems that had been implanted with the unidentified threat actor(s) RAT. Attackers with this type of unfettered remote access to a network device could take the following actions with associated impacts:
Current known indicators of compromise include:
Organizations are strongly advised to disable the web UI (HTTP Server) component on all internet-facing systems immediately. This can be done using the
no ip http server
or
no ip http secure-server
commands in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. It’s also recommended to avoid exposing the web UI and management services to the internet or to untrusted networks.
While disabling the web UI component and limiting internet exposure reduces risk from known attack vectors, it does not mitigate the risk from RATs that might have already been deployed on vulnerable systems. It’s crucial to invoke incident response procedures to prioritize hunting for indicators of compromise as they are published.
Cisco has yet to release a patch for CVE-2023-20198. Additionally, Cisco observed the threat actor(s) using 2 different techniques to install the RAT once the device has been compromised:
The exploitation of CVE-2023-20198 underscores the critical need for robust cybersecurity measures and immediate response actions within organizations. The active exploitation of this vulnerability demonstrates the relentless efforts by malicious actors to exploit system weaknesses, making it imperative for organizations to apply immediate patches and also have a long-term, sustainable cybersecurity strategy in place. Regularly monitoring system logs for unusual activities, training staff to recognize potential threats, having an incident response plan ready, and subscribing to a routine of frequent internal and external penetration testing are some of the key steps in creating a resilient cybersecurity infrastructure.
Cisco Advisory, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
Cisco Talos Threat Advisory, Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
VulnCheck, Widespread Cisco IOS XE Implants in the Wild
NVD, CVE-2023-20198 Details
Rapid7 Blog, CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability
Cisco, Cisco IOS XE