Cisco Warns of Critical Zero-Day Vulnerability Impacting IOS XE Software

In the fast-evolving world of cybersecurity, the stakes are higher than ever, and the recent discovery of a critical, unpatched security flaw by Cisco has sent shockwaves through the industry. This zero-day vulnerability, identified as CVE-2023-20198, has raised alarms due to its active exploitation in the wild. With a severity rating of 10.0 on the CVSS scoring system, it represents a major threat to organizations using Cisco's IOS XE software. Let's now delve deeper into the specifics of this concerning situation.

The Vulnerability

This zero-day vulnerability takes root in the web UI feature of the Cisco IOS XE software, impacting both physical and virtual devices. This vulnerability grants unauthorized remote attackers the ability to establish an account on the compromised system, providing them with privileged access at level 15. Once this account is established, the attacker can gain control of the system, posing a significant security risk to enterprises.

Affected Systems

It's important to note that this vulnerability only affects enterprise networking gear with the web UI feature enabled when it's exposed to the internet or untrusted networks. This specific feature, in combination with the exposure to the internet, creates the conditions for exploitation.

The Detection

Cisco first became aware of this vulnerability when it detected malicious activity on an unidentified customer device in September 2023. In this initial instance, an authorized user created a local user account with suspicious IP activity. A subsequent cluster of related activities in October included the creation of another unauthorized user account and led to the deployment of a Lua-based implant, providing the attacker with the capability to execute arbitrary commands at the system or IOS level.

Implications and the Unknown Threat Actor

The presence of this zero-day vulnerability in Cisco's systems has drawn attention from the cybersecurity community and prompted the U.S. The Cybersecurity and Infrastructure Security Agency (CISA) will release an official notification. While Cisco has linked the two sets of activities to presumably the same threat actor, the origins of this adversary remain obscure. Cisco's insight suggests that the first cluster of activity may have been the actor's initial testing, while the October activity points to a more ambitious operation aimed at establishing persistent access.

Wider Impact

The consequences of this vulnerability extend beyond Cisco, with thousands of devices infected with malicious implants. The potential consequences of privileged access to the IOS XE include the ability to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks. This development highlights the growing sophistication and persistence of threat actors targeting critical network infrastructure.

In conclusion, the discovery of the CVE-2023-20198 vulnerability underscores the need for constant vigilance and proactive cybersecurity measures. Organizations should take immediate steps to mitigate this risk, as the threat landscape continues to evolve rapidly, and the consequences of inaction can be severe. Cisco's ongoing efforts to address this issue and the broader response from the cybersecurity community demonstrate the collaborative approach required to defend against these persistent and sophisticated threats.


As a precautionary measure, Cisco recommends disabling the HTTP server feature on internet-facing systems. While the implant is not persistent and does not survive a device reboot, the created privileged accounts remain active, making prompt action critical.

Upgrade to Fixed Software: For each Cisco IOS XE Software Release Train, upgrade to the appropriate fixed software release as indicated in the provided table. This will help to address the vulnerabilities in your software.

Check for SMUs: Check if SMUs (Software Maintenance Updates) are available for your specific Cisco IOS XE Software Release Train. These updates may address specific bugs and issues.

It's essential to follow these mitigation points to keep your Cisco software up to date, secure, and compliant with licensing requirements. Always prioritize the security of your network and devices.




Contributed by Sandeep Vishwakarma

Post a Comment